Expat-IT Tech Bits




Search this site:


/ (289)
  Admin/ (123)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (7)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (31)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)


  • 2019/06
  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Mon, 03 Jun 2013

    /Security/cryptoCurrency: Bitcoin Still in It's Early Days

    Right now the bitcoin market is about one billion US$, which is a very tiny part of global currency markets. Even if the bitcoin market were to increase by an order of magnitude to ten billion dollars, it would STILL be very small by global currency standards. Given bitcoin's many desirable features, I personally expect it (and perhaps some crypto-currency cousins like Ripple) to go much further, which makes taking at least a small position in bitcoin right now almost a no-brainer, as far as I am concerned. I see only two possible existential risks for crypto-currencies:

    For anyone who has a US bank account and can get themselves organized to provide the two-factor authentication (trivial with an Android phone) that they demand, Coinbase[1] is a VERY easy way to move US$ in and out of bitcoin.

    This is one of the most interesting trades around right now, as it seems to be mostly decoupled from all the regional economic mayhem we call "civilization" these days.

    [1] https://coinbase.com/

    posted at: 03:37 | path: /Security/cryptoCurrency | permanent link to this entry

    Sun, 29 Jul 2012

    /Security/IMchat: Secure Chat with Crypto.cat

    A new project just came over the horizon: crypto.cat[1]

    One of it's more noteworthy features is that it runs right in the browser, for example here[2]. It is also open source, so theoretically one could run one's own crypt.cat server.

    [1] https://project.crypto.cat/
    [2] https://crypto.cat/

    posted at: 23:00 | path: /Security/IMchat | permanent link to this entry

    Mon, 28 May 2012

    /Security/privacy: Tip #1: Increase Privacy Through ISP Diversification

    Google recently became somewhat infamous when it became public knowledge that they are recording, storing, and analyzing every key stroke of their registered, logged-in users. Personally, I believe we can be fairly confident all (certainly all the big ones) online services are doing this to some extent. And the key words here are "registered" and "logged-in". If that is not your state then you have a chance to preserve some of your privacy.

    The behavior to be avoided is the use of one provider for everything, for instance: Google Search, Gmail, GTalk, Google+, etc. Then you are giving that one provider, in this case Google, EVERYTHING. And because you are using all Google's services, you can be fairly sure that you are always logged into Google in all your browsers, even if you use multiple browsers. Even with the best intentions you will often forget to log out and remain logged in for perhaps days without even knowing it.

    By "service provider diversification", I mean you should use different providers for different services. For instance, in my personal case, this is a simplified description of what I use daily:

    That way Google gets ONLY my social media activity and some chat. Microsoft gets ONLY my search activity (and at that, I am faceless to them because I do not need to login to use a search engine) and some of my chat. And gmx.com gets ONLY my private e-mail (actually, only some of it, because I also run my own e-mail server, which is even better -- all geeks should do this).

    posted at: 04:49 | path: /Security/privacy | permanent link to this entry

    Sat, 30 Jul 2011

    /Security/skype: Skype Has Been Compromised

    Skype can no longer be trusted. Truth is, because Skype is closed-source commercial software, they could never be fully trusted anyway, but now there is proof of their misdeeds. Canadian researchers were able to gain access to several misconfigured servers in China which contained millions of Skype text messages, along with the IDs of those who sent them[1][6].

    For years now, Skype has published a Chinese version of their software on tom.com[4]. Apparently it is this version that is logging conversations and passing them on to the Chinese government. And even Skype themselves admit[3] that that includes conversations between a Chinese version of Skype and non-Chinese versions. At this point, there is no evidence that voice communications have also been compromised. But then, at this point, one must assume Skype's credibility as a provider of secure communications to be absolutely zero.

    If you insist on using Skype, please do not download from tom.com. For text communications, may I suggest Pidgin[5]. I have heard of alternatives for secure voice communication, but have not yet had a chance to try them....

    [1] http://www.tgdaily.com/content/view/39577/108/
    [2] http://www.chinapost.com.tw/business/asia/%20china/2008/10/04/177302/Skype’s-China.htm
    [3] http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
    [4] http://skype.tom.com/
    [5] http://blog.langex.net/index.cgi/Security/IMchat/
    [6] https://www.eff.org/deeplinks/2008/10/chinese-skype-client-hands-confidential-communicat

    posted at: 04:54 | path: /Security/skype | permanent link to this entry

    Wed, 16 Feb 2011

    /Security/privacy: Privacy: Why You Should Use Firefox with the Noscript Plugin

    Point your browser at this link[1] and then click the "Test Me" button. This is what I got with javascript enabled:

    "Your browser fingerprint appears to be unique among the 1,433,795 tested so far."

    With NoScript[2] installed and turned on in Firefox[3] (thus blocking all javascript, among other things) the test informed me that my browser was only identifiable down to one in about 60,000. That is still not very good, but infinitely better then having a unique fingerprint!

    Just in case it is not clear, that means if you navigate to any given website with javascript turned on, that website KNOWS WHO YOU ARE from that time forward, because your browser is leaving behind a unique, or an almost unique, fingerprint. Unless you also take other measures, they also have your IP address, which can easily be used to identify what city you are in.

    I thought I was just running NoScript to protect myself against hackers, but now I am more then doubly motivated to continue to do so.

    [1] https://panopticlick.eff.org/
    [2] https://addons.mozilla.org/en-US/firefox/addon/noscript/
    [3] https://www.mozilla.com/en-US/firefox/

    posted at: 08:47 | path: /Security/privacy | permanent link to this entry

    Sun, 14 Feb 2010

    /Security/circumvention: Downloading Files When You Are Being Blocked

    I live in China, and I have to deal with file downloads being blocked all the time. Particularly of the Canadian and US news podcasts I am fond of watching. For the record, it is hard to tell whether the Chinese are censoring, or whether the providers are trying to save bandwidth by blocking all of China. I think there is a little bit of both going on. So here is how I deal with it.....

    A lot of things are not blocked, and for that I use Miro[1]. Miro has a lot of nice features for video podcatching. In my often bandwidth-starved situation, chief among them is that Miro is pretty good at resuming interrupted downloads, even after an over-night shutdown.

    For blocked podcasts, I have an encrypted SSH tunnel setup from my desktop to one of my servers in the USA. Setup ssh, autossh, and proxychains per these posts[2]. With my tunnel setup, I use a second piece of podcatching software called gpodder[3], which I start in a terminal like this:

    proxychains gpodder&

    to force all gpodder traffic through my encrypted tunnel. Then use gpodder per normal to download blocked podcasts. However....

    In China, there are often extended periods of time when the powers-that-be use the Great Firewall to interfere with these kind of downloads. Sometimes there are repeated network interruptions that cause large files to fail before there download completes. Sometimes this seems to be combined with bandwidth throttling, where each network connection I make is limited to 5 kb/s of download, which makes the download VERY long, and even more prone to interruptions.

    For these particularly difficult situations, I just use gpodder to pull down the list of files from the podcast feeds. Then I use a Firefox plugin called "SQLite Manager"[4] to open gpodder's datebase in ~/.config/gpodder/database.sqlite. In the table called "episodes" can be found a record for each podcast that has been pulled down from the feed. From that record I can extract the actual URL of the file for the podcast, so that I can then download it with wget[5], which is an extremely robust command-line file downloader.

    Then I can start the download in a terminal like this:

    proxychains wget http://www.url.com/path/to/file/filename.something

    Continuing a partially download podcast is as simple as:

    proxychains wget -c http://www.url.com/path/to/file/filename.something

    (Note the "-c".) It is also worth trying the above wget line first without proxychains, as sometimes only the feed URL is blocked, but the server where the actual files reside is not blocked.

    [1] http://www.getmiro.com
    [2] http://blog.langex.net/index.cgi/Admin/SSH-Proxy/ [3] http://gpodder.org/
    [4] https://addons.mozilla.org/en-US/firefox/addon/5817
    [5] http://www.gnu.org/software/wget/

    posted at: 07:14 | path: /Security/circumvention | permanent link to this entry

    Sun, 07 Feb 2010

    /Security/password: The Simplest Encrypted Password Store

    I have been using keepassx[1] as a partial solution. keepassx runs on Linux, Macs, and Micro$oft operating systems, and allows you to lock the file not only with a password, but also a key file. A really nice piece of software. But I was looking for something command-line oriented, that I could access via SSH on one of my servers with a public IP.

    The very simplest solution[2] seems to be vim[3], a turbo-charged version of the venerable Unix "vi" editor that includes a gnupg plugin (enabled by default on Debian).

    To create an encrypted file with vim, just type:

    vi -x test.gpg

    and you will be prompted for the password that will be used to lock the file. Edit and save. Thereafter, if you

    vi test.gpg -or-
    view test.gpg

    to edit or view the file, you will have to give your password to decrypt it.

    Don't be afraid of vi! You only need to know a few keystrokes to get the basic stuff done. When you first open a file for editing, most keystrokes will be ignored because you are in view mode:

    "i" to enter insert mode
    "R" to enter overwrite mode
    Esc key to return to read-only mode
    "r" to overwrite just one character under the cursor
    "x" or Delete key to delete the character under the cursor
    "dd" to delete the line under the cursor
    "ndd" to delete "n" lines under the cursor
    "yy" to copy ("yank") the line under the cursor
    "p" to past the last the last block of line(s) copied or deleted
    "/text" to search for the string "text"
    "zz" to exit and save
    ":q!" to exit without saving.

    I have been using vi fairly hard for years, and I rarely stray from this short list of keystrokes.

    [1] http://www.keepassx.org/
    [2] http://www.lucas-nussbaum.net/blog/?p=431
    [3] http://www.vim.org/

    posted at: 01:49 | path: /Security/password | permanent link to this entry

    Sat, 16 Jan 2010

    /Security/e-mail: Setting Up PGP E-mail Encryption

    Finally someone has agreed to help me play with PGP e-mail encryption!! So here are my notes:

    In my claws-mail e-mail client, I had to install a plugin (a separate package in Debian) called claws-mail-pgpmime. After restarting, there appeared a "GPG" tab in my per-account e-mail preferences, where I clicked on the "Generate a new key pair" button. (claws-mail apparently does all the necessary pgp stuff under the hood, including adding the new keys to my private key ring....) In the same tab, I also selected the "select key by your e-mail address", which seemed logical. And then in the "Privacy" tab do not forget to select when you want your key sent, and under what circumstances e-mail is supposed to be encrypted. (And I was delighted to see a "Save sent encrypted messages as plain text option", since I have an encrypted home directory anyway.)

    (Note that this FAQ[1] warns that some spammers harvest e-mail address off of the public key servers, so if you intend to publish your key to such a server, choose an e-mail address with good spam filtering....)

    Now for the fun command line stuff....

    PGP can only work if both ends of the communication have one another's public keys, and from what I can tell, the standard way to do that is via the world-wide network of public key servers. For instance, after adding:

    keyserver keyserver.ubuntu.com

    to ~/.gnupg/options, if I open an e-mail signed with a pgp-signature attachment, I can then click on the key icon to the right of my claws-mail message pane and see the prompt:

    "This key is not in your keyring. Do you want Claws Mail to try and import it from a keyserver?

    Of course(!?) this does not work in China because all the keyservers seem to be blocked, so I have to do it through a proxy server as follows:

    proxychains gpg --no-tty --recv-keys A1295TE1D75F5533

    And now claws-mail can verify the signature as "correct". And now

    gpg --list-keys

    will show all the keys on my private key ring, including the one I just imported. That is how I get my friend's public key.

    Per this fine howto[2], I can broadcast my own key to the world thusly:

    gpg --send-keys --keyserver keyserver.ubuntu.com 6D79E522

    where the code at the end of the line is obtainable from the "gpg --list-keys" listing.

    Note that it is also possible to share public keys by exporting them to a file as follows:

    gpg --export -a 6D79E522 > mykey.asc

    and e-mailing the file. Once both ends are supplied with the other's public key, encryption should be trivial.

    [1] http://pgp.mit.edu/faq.html
    [2] https://help.ubuntu.com/community/GnuPrivacyGuardHowto

    posted at: 08:29 | path: /Security/e-mail | permanent link to this entry

    Wed, 25 Nov 2009

    /Security/e-mail: Basic E-mail Security

    (For those who feel the need to send passwords, credit card numbers, Social Security numbers, and various other sensitive information via e-mail.)

    I am going to talk about the network aspect of e-mail security, and therefore will address points 1 to 5 in the diagram below. First, a little very basic knowledge about what happens to your e-mail when it passes through a network:

    When you send an e-mail, to state the obvious, there is no direct electrical connection between your computer and the computer of your recipient. In fact, as it passes between your computers, the e-mail not only passes through wires, but "hops" its way through many (conceivably many, many) routers and switches. Every time the e-mail passes through a router or switch, whomever controls that router or switch can VERY EASILY capture the digital contents of the e-mail if it is not encrypted. If you are sitting in a coffee shop using an open access point, for instance, the person next to you may be recording your e-mail during its very first hop from wireless card to wireless router. And the owner of the shop could conceivably have software running in the wireless router doing the same.

    Summary of rules for secure e-mail communications:

    1. Sender and Receiver should use the same e-mail server.
    2. Only use https, pop3s, imaps (encrypted connections) to your e-mail service.
    3. Use a small security-oriented e-mail service or a personal e-mail server.

              (1)       (2)        (3)           (4)        (5)
                     ----------             -----------
                    |          |           |           |
    Sender =========| Sending  |-----------| Receiving |========== Recipient
                    | Server   |           | Server    |
                    |          |           |           |
                     ----------             -----------

    (3) So, by the numbers: for various technical and historical reasons, segment (3) above between the two servers is virtually always unencrypted. It is not strictly true, but for simplicity at the moment lets say that for the case of a simple unencrypted e-mail, YOU CAN NEVER HAVE A SECURE COMMUNICATION IF SENDER AND RECEIVER ARE USING DIFFERENT E-MAIL SERVERS. Ie. if I us Yahoo and you use Gmail, it does not matter what else we do, when passing from the Yahoo servers to the Gmail servers, the e-mail is exposed to snooping.

    Thus Rule 'a' above. If (2) and (4) are the same server, we eliminate all problems with segment (3). For Rule 'c', choose a small service with an emphasis on privacy and security. The bigger the company, the more employees who have potential access to your e-mail. (For the biggest of the free public e-mail providers, this is probably at least hundreds of people, and maybe thousands.) Best of all, use an e-mail server under the personal control of either sender or receiver (ZERO employees who have access to your e-mail).

    (1)(5) To satisfy Rule 'b', only use an e-mail service that provides encrypted connections to the server:

    Finally, a brief mention of something that should see more use, at least by technical people: make all of the above irrelevant by having both sender and receiver use an e-mail client with GPG[1] encryption configured and enabled. After sender and receiver exchange public encryption keys for two specific e-mail addresses, all future e-mails between those two e-mail addresses are encrypted from the moment they leave the sender's e-mail client until the moment they are received by the recipient's e-mail client. If encryption is not desired for any particular (or even most) communications simply use a different e-mail address then the one configured for encryption. A little effort is involved on both ends for setup, but this is by far the best solution. Most desktop e-mail clients have this capability built-in, it basically just has to be turned on. Webmail users, particularly of gmail, may find the Firefox FireGPG[2] plugin to be useful.

    And if you should choose to ignore all of the above advice and send a password, credit card number, or other personal information via insecure e-mail, you would be advised to not include certain important key words in your e-mail. You might think, for instance, that there is such a vast amount of e-mail passing through an internet switch such that no one will ever notice your insignificant little e-mail. But what if they are filtering the traffic for key words, such as "password" or "credit card"? Suddenly your "insignificant" e-mail containing the word "password" becomes a part of a much shorter list of interesting (to a hacker) e-mails.

    Further reading: [3]

    [1] http://gnupg.org/
    [2] http://getfiregpg.org/
    [3] http://www.sovereignman.com/personal-privacy/how-to-send-secure-email/

    posted at: 00:23 | path: /Security/e-mail | permanent link to this entry

    Sat, 14 Nov 2009

    /Security/e-mail: lockbin.com Has a Reasonable Solution for E-Mail Security

    lockbin.com[1] has a reasonable method for restoring some security to the e-mail arena. The service is a little bit inconvenient so it does not qualify for daily use, but especially when you are dealing with someone who resists taking any precautions at all, this might be quite a good solution.

    To use lockbin you first deliver a shared password to the other person, preferably by some means other then the same e-mail address lockbin is going to use to announce the arrival of a message. Then on lockbin's SSL-encrypted (https) website compose and send your message.

    The recipient receives an e-mail which says, in part:

    "Hopefully, your friend has already given you a special 'Secret Word', which will un-encrypt the message so you can read it."
    containing a link back to his waiting message on the lockbin website. The recipient must then enter the 'Secret Word' to see the message. If he wishes, the recipient can then reply to you using lockbin again, in the same window.

    Needless to say there are some security holes in this arrangement, like the need to trust the system administrators of lockbin, and the need to send the password by some preferably secure channel.

    [1] https://lockbin.com/

    posted at: 05:02 | path: /Security/e-mail | permanent link to this entry

    Thu, 12 Nov 2009

    /Security/e-mail: Big Brother Taking Over Europe

    This article[1] talks about the increasingly tight noose around the throats of users of electronic communications in Europe:

    Now, the Interception Modernisation Programme plans to force all electronic communication providers (wireless companies, cable companies, internet service providers, etc.) to keep a record of every communication by every customer for a period of 1-year, and make the data available to 653 public agencies.

    You must consider all unencrypted e-mail communications to be *public* communications being read by any number of hackers and bureaucrats, and susceptible to being posted on a public website at any time.

    I really do not understand people who do take measures to protect their privacy, which seems to be the vast majority of people. But there are a lot of things I do not understand, I guess....

    [1] http://www.sovereignman.com/personal-privacy/spying-on-your-phone-and-email

    posted at: 00:58 | path: /Security/e-mail | permanent link to this entry

    Sun, 24 May 2009

    /Security/hacking: Did I Just Experience an Attempted "Man-in-the-Middle" Attack?

    Normally, of course, one expects that an encrypted connection between two computers will be private and free of eavesdroppers. But of course, no defence is perfect....

    Just now I tried to SSH from China into one of my servers in the USA. The SSH command failed, with a big banner saying that the key that the server just answered with was not the same as the last time I logged in, and that I might be the subject of a Man-in-the-Middle Attack.

    In a Man-in-the-Middle Attack, someone on a network between me and my destination (those "people" running the Great Firewall of China come to mind, for instance) intercepts my communication with my server, and pretends to be my server. They relay the connection to the actual server, so if I were to ignore the warning about the bad key and log in anyway, I would actually succeed in logging into my server. But whoever intercepted and forwarded the connection would now be able to eavesdrop on the communication, and I bet (do not know right off hand) that they might get my server password as well.

    My response? I tried an SSH into a second server in the USA, and from there SSH'ed into the first server. No problem with both of those. Then I tried a direct connection straight from home to the first server again. This time it worked. No hacker in the middle.

    Do not take security warnings (from software you trust, for which SSH definitely qualifies) lightly.

    posted at: 01:59 | path: /Security/hacking | permanent link to this entry

    Wed, 18 Feb 2009

    /Security/greatFirewall: All Google HTTP Services Blocked

    From where I am sitting near Beijing, for the second day all things Google http have been inaccessible: gmail webmail, the search engine, and Google Adsense ads, to name a few. Web pages containing Google Adsense ads display a banner and maybe a little bit more, and then just sit there and spin. gmail can thankfully still be accessed via an e-mail client using POP and SMTP.

    Since Google Adsense ads are just about everywhere, that means a vast array of websites (including many hosted within China) are effectively blocked. Even my trusty Tor[1] is very, very, slow, no doubt because there are a lot of other people like myself using Tor to try to get some work done.

    This is one of a very short list of things that sometimes makes me wonder why I continue to live in China.

    [1] http://www.torproject.org/

    posted at: 03:01 | path: /Security/greatFirewall | permanent link to this entry

    Tue, 17 Feb 2009

    /Security/IMchat: Chat Monitoring is a Standard Firewall Feature

    And I quote[1]:

    "The IM proxy is the best I’ve seen. Once it’s enabled, every incoming and outgoing IM conversation is logged. After opening up a few channels in IRC - in real-time - it’s possible to view any conversation going through the firewall. MSN, AIM, and other protocols are supported as well. It’s a big-brother feature, but if you want to monitor who you children are talking to, or for whatever reason, I can see it being an invaluable resource to monitor what is going on in a network you control. It would almost be easier to keep track of conversations using the logging tool in Smoothwall instead of multiple instant messenger clients."

    The above quote is from a review of the free version of the Smoothwall[2] firewall -- you do not even have to pay money for this feature in Smoothwall! Meaning this feature is probably simple and common among commercial firewalls. Anyone who thinks that their employer is not listening in on their Yahoo Messenger / MSN / AIM / etc. chat sessions is being extremely naive. Check out this[3]:

    "New IM Reports - Generate new reports on IM including time spent messaging and number of chat friends per user."

    The solution: use a chat client that does encryption:

    [1] http://www.fsckin.com/tag/smoothwall/
    [2] http://www.smoothwall.net/products/
    [3] http://www.smoothwall.net/products/corporatefirewall2008/?whatsnew
    [4] http://www.pidgin.im/
    [5] http://www.cypherpunks.ca/otr/
    [6] http://www.adiumx.com/
    [7] http://www.skype.com/
    [8] http://www.cypherpunks.ca/otr/software.php
    [9] http://www.google.com/talk/
    [10] http://blog.langex.net/index.cgi/Security/skype/

    posted at: 22:45 | path: /Security/IMchat | permanent link to this entry

    Fri, 12 Dec 2008

    /Security/circumvention: Penetrating Firewalls, Internet Censorship, and Eavesdropping

    I just bumped into another interesting site called "Circumvention Tools[1]", which has a nice summary of ways to regain access to blocked / censored websites and prevent others from eavesdropping on things you say and places you go while online.

    Of course Tor[2][3], which provides penetration and privacy, and is one of my personal favorites, gets prominent mention. (And surprise surprise, the Tor website is blocked from where I am sitting right now in P.R.China....) Tor in combination with Firefox and the Firefox torplugin, which allows the Firefox proxy through Tor to be turned on and off with a click of the mouse, is incredibly convenient.

    However, Tor can be really quite slow because not enough Tor users agree to operate exit nodes. So I was intriqued to read about how easy it is to set up a SOCKS proxy[4][7] with SSH. This does require that you have SSH access to another machine outside the network where you are being blocked / spied upon, but that is not so hard. Running a machine at home with dynamic DNS[5] is not too hard in most places (where I live its actually not so easy....) And low-end Virtual Private Servers can be had for as little as US$8 per month[6].

    And finally, in the category of "simple tricks[8]", there are services that will e-mail website content to you in response to an e-mailed request. This strikes me as having other interesting applications beyond penetration.... How about a weather e-mail every morning, with a little help from cron? Or pulling down a site in a very bad / slow network environment?

    [1] http://en.flossmanuals.net/CircumventionTools/
    [2] http://en.flossmanuals.net/CircumventionTools/TorTheOnionRouter
    [3] http://www.torproject.org/
    [4] http://en.flossmanuals.net/CircumventionTools/SSHTunnelling
    [5] http://blog.langex.net/index.cgi/Admin/dynamicDNS/
    [6] http://blog.langex.net/index.cgi/Hosting/
    [7] http://en.flossmanuals.net/CircumventionTools/ConfiguringSocksProxies
    [8] http://en.flossmanuals.net/CircumventionTools/SimpleTricks

    posted at: 09:39 | path: /Security/circumvention | permanent link to this entry