Posted on

What’s the Fox Say?

I like Firefox.  It has the visual settings I want, the security features I want, the plugins I want, and the business model I like.  Chrome and Safari in their own right are just fine, but I prefer Firefox.

My employer, however, does not like Firefox, and that is for obvious reasons.  Firefox is a standalone application that doesn’t require root privileges to install or configure.  It also ignores group policy, and maintains its own certificate store.  From an IT admin perspective, it’d be a nightmare to try to support.  So, officially, they don’t.  But, they don’t explicitly forbid its use, either.  In fact, many internal documents offer information that is Firefox-specific.  But, IT also blocks the domains which provide Firefox installation packages, and the company’s Reasonable Use of Company Resources policy does state that circumvention of technological protections is prohibited, so am I violating this policy by, say, acquiring an installation package that I had downloaded onto a domain I control?  I’m not really bypassing these protections, and besides which–I have a business need to test how web code renders in different browsers.  It’s a bit of a grey area.

What isn’t a grey area, however, is the means by which I connect to the Internet.  Naturally, I use the default proxy URL and configuration provided by the company, so all good there.

Then recently, I couldn’t connect at all.  I received a certificate error for every HTTPS page I attempted to access.  Unbeknownst to me, IT had installed a middlebox.

Middleboxes operate by intercepting a connection, breaking it open, then re-encrypting it back to the end user.    This re-encryption, however, requires a re-signing of the contents with a valid certificate.  This certificate is generally a company-generated CA, installed via group policy into every machine’s certificate store.  But since Firefox uses it’s own certificate store, when the re-signed connection arrived, Firefox only saw that the connection was signed with an unknown and invalid certificate, and promptly terminated the connection as a security measure.  This is, amusingly, the way it’s supposed to operate.  Breaking TLS in this manner violates its purpose, but it works because of its current limitations (at least for now–TLS 1.3 has protections against this but is being pushed back because of its ability to prevent this type of corporate TLS-breaking).

Naturally, I don’t have a problem with the company monitoring the use of its own resources, so you’ll find no soap box argument here.  My main concern, then, was how to get Firefox working again.

Fortunately there’s a buried setting, within about:config.

Simply changing the Value from “False” to “True” will allow Firefox to access and accept the hosting machine’s certificate store, thus allowing corporate TLS certificates to break and re-sign HTTPS.

So at least for now, I can still use Firefox.  I just had to configure it myself, which is no doubt the kind of support IT wants to avoid having to provide.

Curiously, when I’m connected to the company VPN, my traffic doesn’t appear to be funneled through the middlebox.  I wonder if there’s too much overhead to do that, or because since the VPN uses TLS it’d be a technical challenge to separate VPN TLS from HTTPS TLS?  Maybe they’re only concerned about monitoring non-exempts to that extent.  Dunno.

Regardless, Firefox can still play nice in a corporate environment.  It’s just that it has to be manually switched away from its default, and untrusting, policies.

–Simon

Posted on

Herbie

Remember those old Disney movies with the sentient Volkswagen?  It was a fun take on our tendency as a species to anthropomorphize our vehicles.  And as a kid with few friends, I found the idea of being besties with a car to be a very reasonable movie premise.  So it was that my favorite in the series became Herbie Goes Bananas.  It involved a Hispanic orphan who gets into wacky adventures with the car, culminating in them foiling a plot to steal Aztec gold by a gang of enterprising bandits.  That touch of Indiana Jones in the story must have really taken me in.

Anyway, another individual with a goofy sense of humor must have found meaning in these films too, for we witnessed this in the parking lot during a Target run:

Not exactly a Volkswagen, but no matter.  See you around, Ocho.

–Simon

Posted on

Whippet Ingenuity

Dogs can be clever when the need arises, though certainly some exhibit this more than others.

Whippets are not winter dogs.  Their short hair and predilection for cuddling conditions them for warm and comfortable environments, and the bitter cold of February simply does not meet these requirements.  In the past, the whippets have simply burrowed deep into blankets and cushions, at times even becoming invisible to the unsuspecting human who wishes to sit upon the couch (resulting in a rather canine-sounding whoopie cushion).  But Poppy took a novel approach, and actively sought ambient heat, apparently not content to merely preserve her own.  It seems like an obvious solution for a dog, but I find it awfully darned funny.

Here she is on a heating register
I thought Man’s mastery of fire was part of what made us different from animals–apparently not

I later found the thermostat cranked up to 90, although I didn’t catch her in the act, so blame seems to point elsewhere.  It would seem that the whippet’s ingenuity is just one example of an inter-species female desperation for heat.

The thermostat will stay at 64!

–Simon

Posted on

Olympics and VPN

I run a VPN server at home.  This is for 2 reasons: to remotely access local services, and as a security measure to encrypt my phone’s traffic.  These reasons are what I feel to be the primary purpose of VPNs.  This is also what allows me to work at home with a company computer.

However, a consequence of this tunneling is that, from the perspective of any server to which the computer connects, that computer appears “physically” to be at the VPN’s emergence point.  This result, what I consider to be a mere auxiliary function, has caused VPN services to experience a surge in popularity for the sole reason of bypassing geolocation restrictions.  I snub my nose at those who subscribe to services for this reason, as I envision Millennials, deluded with a sense of feeling smarter than everyone else, bypassing “The Man” in order to access streaming content–with no appreciation for the actual security benefits that VPNs provide.

Then the 2018 Olympics arrived and I found myself unwilling to endure yet another year of NBC’s coverage.  Between their endless commentary and commercial breaks every 5 minutes, they’ve done everything in their power to make these events unwatchable.  And they succeeded, at least for me.  So I did exactly what I just expressed my condescension against, and shopped for VPN providers.

I stumbled across a site that actually explained the history of VPNs and their technology, a refreshing divergence from the usual array of clickbait-y sites (a la Gizmodo):

www.bestvpn.com/vpn-encryption-the-complete-guide

Given the comprehensiveness of the supplied information, I took their opinions to be acceptably educated, and subscribed to a month’s service from their top recommendation, www.expressvpn.com.

When the Olympics arrived, I connected to a server in Toronto and loaded the CBC’s live stream.  And behold!:

The CBC is mercifully low on commercials and commentary; and they stream live, rather than delaying for time zones.  I’d launch into some self-righteous rhetoric about runaway capitalism interfering with something who’s inherent purpose is contrary to this value, but I’m content to just go watch some more events and stop blogging.

Because, really, when’s the last time anyone in the US got to watch curling?

Simon

Posted on

See the Light

I hate what the information age has done to information.  By democratizing its access, we’ve devalued it entirely, which in turn has rendered its pursuit a non-viable economic model.  Instead, its value is now determined by aggregation.  The facts themselves are now worthless, but if one has enough sheer volume of facts, then they can drive traffic and by extension, capitalize upon secondary ad revenue.

So with the information itself demonetized, no incentive exists to analyze it–just to present it in a quickly digestible form.  The result is the same sub-1000-word article on every website.  Any academic value it originally had is diluted by this copy-paste method.  No one’s vetting the research, and very few are doing any original research.

I encountered this phenomenon while indulging in a casual curiosity.  The Super Bowl was playing, and there are few things I have less interest in watching, so I ate a can of sardines.  (I forced the child to try one for the character-building experience).

Delicious fish having been consumed, I was left with a can of oil.  I recalled hearing that the fish/olive oil made a good base for an improvised oil lamp (of course it would, seeing as that was the primary purpose of originally harvesting olive oil, which was a major step for humanity towards achieving ubiquitous and affordable artificial light–facts apparently lost to history).  So I rolled up a piece of paper towel into a wick, stuck it in the can, and lit it.  And, unsurprisingly, it burned with the steady flame of an oil lamp.

As I watched the flame, I wondered where I had read that article, who’s purpose was to list the unconventional sources of lighting one might find in their kitchen, for use in an emergency.  So I took to the Internet.

And this is where I became irritated with the scenario outlined in the first two paragraphs of this post.  I wouldn’t have much considered that the lists contained the same substances.  After all, there’s only so many combustible liquids in a typical residential building.  But what grabbed my attention was that every article added in the little quip about how burning the sardine oil would make the house smell like fish.  That was because, it didn’t.  The little flame is insufficient to bring the contents of the can to the volatiles’ vapor point, and the oil that was actively combusting was heated to the point where anything which would have smelled was denatured.  It was a clean, odorless lamp.

This indicates to me that the original author of the article probably put in the humorous aside, meant to be nothing more than a small joke, and was subsequently copied as a priori fact by content harvesters looking to add information to their own catalogues.

So for fuck’s sake people, do a little bit of original research.

It also bears mentioning that the sardine lamp burned out sometime after I had fallen asleep, so you do get several hours’ worth of illumination from it.  And the sardines were good.

–Simon