The Internets and Social Medias

That’s actually how a company higher-up referred to it: The Internets and Social Medias.  I felt like a kid, talking to some adult who was desperately trying to understand “what the kids are into these days”.  It was painful.

Anti-gay chicken sandwich

The point of that particular email communication was to be careful that when you take to the Internet to obnoxiously voice your opinion about something, as we are all apt to do, that you take pains to avoid having your opinion interpreted as a representative of your employer.  Remember Chick-fil-A and that comment against homosexuals by whoever that executive was?  I get that it’s a Christian company, but it seemed odd to me that we were holding a company accountable for an employee’s personal opinion.  I don’t recall the company ever catching flak for refusing to hire homosexuals, or denying them service, so as far as I know, the company itself hadn’t done anything ethically questionable.  But it demonstrated that people as a whole didn’t want to make that distinction, and so proved my own employer’s concerns.

My point is that this is one consequence of the Internet, which represents something greater: open access to exercise free speech to a worldwide audience, and the major consequences it can have against a powerful individual, whether or not those consequence are justified.  It’s a definite point of concern, but it got me thinking about something even bigger: who specifically would be against this paradigm that we’re in a constant state of disagreement regarding the openness of the Internet?

And my conclusion is simply, that it’s those with the most to lose.  Let’s consider some logic: knowledge is obtained through experience and study.  Study is written information, vetted and discussed.  The Internet is the biggest and most available source of vetted information.  The internet is therefore knowledge incarnate.  An argument against the openness of the internet, therefore, is an argument for greater widespread ignorance.  So who would benefit?  I surmise that it would be those who are in power.  Why?  Because the mere fact that they hold positions of power demonstrates that they have benefited from the existing system to this point, which compared to today’s access to information (courtesy of the Internet), has been a period of relative ignorance.

People fear to lose what they have acquired, even when recognizing it doesn’t benefit the common good.  More tangibles means a higher standard of living–something for which we fight tirelessly–human nature.  Conclusion: those in power don’t want to lose power, and consequently perceive the Internet as a direct threat to their power.

Enter: government intervention.  The trend has been to cripple the Internet where its ubiquity benefits the commoner, without threatening areas in which it benefits commerce (AKA: the flow of money and by proxy, power).  This translates to being able to monitor who does what on the Internet.  If you can build a profile on every citizen, then through historically successful tactics of government action; such as intimidation, threats, political imprisonment; you can then silence anyone who’s informed enough to be a direct threat without destroying the technology itself, and therefore still capitalize upon it while maintaining the power dynamic.

The first approach was to damage the first threat to surveillance: encryption.  In the 1990s there were actual laws which dictated the effectiveness of Internet encryption strength, and even went so far as to classify the technology as a munition, and therefore precluded from international export.  Review the history of PGP for an amusing example.

But stifling encryption ultimately harmed commerce, as the Internet became increasingly commerce-centric.  Money had to flow and it could only do so with encryption.  The restrictions eased, but encryption remained cost-prohibitive to anything outside of commerce, so for a time the government was still in a winning position.  More interested in communication and people’s access to information, the government was still comfortable with the fact that while strong encryption existed, nothing they were interested in monitoring was encrypted.

But then, encryption became universal, recently thanks in part to the push for it by companies such as Google, Mozilla, Apple, and the EFF.  Suddenly, it became infeasible to police the public based on their Internet traffic.  So the government responded with what they tried before: breaking encryption.  Except this time, the commercial Internet entities were no longer solely comprised of companies who unquestionably took the government’s side in all matters.  Encountering resistance by these powerful companies, attempts to renew similar legislation have so far failed (in the US, anyway–Brazil and Britain are two notable counterexamples).

So the power play has taken a new approach.  If you can’t control the technology that runs the Internet, control the infrastructure itself.  In order to do that, it needs to be consolidated–monopolized.  Enter the era of mega-mergers.

Remember?

Time Warner/Comcast/Charter/Verizon/Level 3/AOL–the Internet backbones of the country are quickly becoming one.  In a closed-door tit-for-tat arrangement, these companies assuaged the government leaders’ fear, by providing all the financial incentive required to keep these leaders in power, while the leaders responded by further de-regulating legal restrictions, allowing these companies to squeeze additional capital from it’s customer base.  But as stated, there’s a bigger plan.  This mutually-beneficial arrangement extended to ignore antitrust regulations, giving companies the monopolistic power they wanted to maximize revenue from a competition-less industry, while becoming unofficially indebted to the government, true, but the government will then will exercise its power to regulate these indebted monopolies for its own purposes, finding away around the technology to access customer data through the gatekeepers themselves.  And once the industry is monopolized, there will be no fringe competitors available to offer alternatives.

So what is the next step?  I will theorize.  Ultimately we’ll end up with one or two ISPs.  We’ll pay increasingly exorbitant prices for Internet access.  Then they’ll leverage their monopoly over the Internet backbone itself to force a technological loophole.  ISPs may require that customers install an ISP-provided encryption certificate, which would break encryption to the ISPs while still maintaining secure communications for commercial purposes.  They may require customers to use ISP equipment, designed for a similar middle-box proxy service.  They may require something at their business customers’ end, such as logging and surrendering customer information.  There are many specific possibilities, but what’s important is that we as the customer, with no other ISP alternative, will be in no position to refuse.  And the pseudo-anonymity, open exchange of ideas, and access to the world’s repository of knowledge; will gradually be lost to the ages until the next violent revolution.

–Simon

My Outlook: Office Doesn’t Excel

Do you know what they improved between MS Office 2013 and 2016?  NOT A DAMN THING!

Okay, to be fair, there were some totally awesome improvements, like…window stacking?  And new Excel graphs.  And there’s this map function apparently.  And better database integration support.  This would totally be worth buying a new license.

Of course, that’s not their MO anymore.  I realize it’s clichéd to blame Millennials for things as I’m apt to do, but it’s totally their fault.  They expect software to have no upfront cost, and to be completely cloud-based.  So now, Microsoft pushes subscription services instead.  Yay, just like DRM!  You never actually own anything anymore.

On the business side, we have the same thing: perpetual contracts, even when the new software adds no value.  So what did Office 2016 change?  Well, they moved all the functions around so I had to find them again.  And now, repeated keystrokes cause some type of application layer panic and everything crashes.

excelcrash
How about you just let me CLOSE the program?

Rant complete.  But I’m not one to complain without suggesting a solution.  I offer you an alternative: LibreOffice.  It’s an open-source fork.  So while you may be forever forced to use Microsoft products at work, you can still make a choice in your personal computing needs.

Now I’m going to get back to work and see if Excel launches.

–Simon

Certificate Renewal

In accordance with Lets Encrypt’s (the certificate authority for this site) 90-day SSL certificate expirations, I needed to renew the certificate for this site.  It should be seamless, but if you are using any applications that support certificate pinning, you may receive a notice of a certificate mismatch.  This is normal, and the alert serves as a warning against a possible certificate forgery.  Simply accept the new certificate.  However, for the extra paranoid (myself included), you may validate the new certificate’s authenticity with the below fingerprints:

SHA1 Fingerprint:

4D:28:C4:DA:0C:DE:48:39:6D:CD:1A:28:E5:D5:CC:46:5C:34:85:32

SHA-256 Fingerprint:

39:4B:3A:D3:40:C5:EA:89:B1:1C:80:F8:E4:E7:2B:30:E4:23:E2:42:4F:BC:6D:EB:86:CD:FA:83:1F:B8:57:BE

The current certificate will be valid until July 16, although I will probably renew it within 2 weeks of that.

–Simon

Local File Repository with .htaccess

So, I run a web server.  I do not pay for hosting.  Maybe one day when I’m rich and famous I’ll have the need to offload my computing and security needs to a third party, but for now it’s the joy of having full control over the hardware that both feeds and permits my curiosity of technology.  Hey, the title of this post was not misleading.  If you’re actually reading this, then you must share some of these interests.

With all web-accessible content comes the need for access control.  Normally I handle this through the operating system’s administration panel, but a need arose in which this wasn’t as practical as I had hoped.  Here’s why:

  • No one can ever remember their login credentials
  • The web GUI is processor-intensive, and therefore slow (especially on mobile devices), leading to user impatience
  • the web GUI doesn’t play nice with mobile OSes in general
  • Mounting network shares is a lot of trouble for a single file (also: see the first bullet)
  • Access control management is a pain, especially when it’s a new user who doesn’t necessarily need access to the server for anything else
  • The files were meant to  be shared with anyone on the LAN, who presumably would already have been authenticated by me or else they wouldn’t be on my LAN in the first place
  • When a file needs to be downloaded, and the client doesn’t need to upload anything, few methods are easier and more universal than good ol’ HTTP

Based on these limitations and my needs, I determined the best solution was to create a file repository that was devoid of separate access control, restricted to the local LAN.  Only people on my LAN could access the files, and any people on my LAN by default would have de facto permission to access them (and not those on the guest subnet).

Fortunately from experience, once I identified these needs, I knew of the solution, though it did take a little research.  Any web server has individual configuration files which can be applied at the directory level:

  • IIS has “web.config”
  • NGINX has “nginx.conf”
  • Apache has “.htaccess”

apacheNatrually I would never be caught dead using IIS, although I was forced to use it for a prior job.  But my server, Linux-based of course, leverages NGINX with an Apache backend.  I had a working familiarity of Apache, and I had already dabbled with .htaccess and .htpasswd files before, as well as modifying the Apache config files to allow their overrides, so this seemed like the best option.

Still with me?  Okay good.  I created a new directory “/public_LAN/” and with the server’s own text editor, created the directory’s own .htaccess file.  And my god why do OSes have to be so difficult with non-standard file extensions?  I know why: some idiot will mess with a critical config file or open malware, but why can’t I turn it off?  I used to be able to edit any file type I wanted with older Apple OSes, but it seems that now it’s forbidden completely.  So no, I couldn’t just open my HTML editor and save a text file as .htaccess because that’s an usupported extension.  Whatever.

Into this file I placed:

Options +Indexes
ErrorDocument 403 “<h1>403 Forbidden</h1><p>This page is restricted to internal LAN access only:<br><a href=’http://192.168.0.106/public_LAN/’>192.168.0.106/public_LAN/</a></p>”
order deny,allow
allow from 192.168.0.
allow from 10.8.0.
deny from all

BAM!  Okay, triumphant interjection aside, what does this mean?  I will explain, else I risk bastardizing the value of this post:

Options+Indexes : This command enables directory browsing.  Web servers always have this off by default for security reasons, but since I was going to use the directory for the very purpose of browsing files within, I needed to turn it on.  This is how you do it.

external
Attempted external access

ErrorDocument 403 “<h1>403 Forbidden</h1><p>This page is restricted to internal LAN access only:<br><a href=’http://192.168.0.106/public_LAN/’>192.168.0.106/public_LAN/</a></p>” : This is optional, but it adds a custom 403 error page (for this directory only).  In short, mine says that if it’s triggered, the user isn’t inside the LAN and therefore can’t go there.  Attentive readers will notice that I neither link to a TLS connection, nor use the domain name.  More on this later.

order deny,allow : This sets the precedent that all access will be denied by default first, then checked for conditions under which access is allowed.

allow from 192.168.0. : This line is the condition under which access will be granted.  It is the first 3 blocks of the main LAN IP address.  This includes any client IP address that begins with these 3 blocks–which will be anything on my LAN (excluding the guest network).

allow from 10.8.0. : This is the second set of LAN IP addresses to allow.  In my case, this is the subnet for anything connected to the LAN via VPN.  I wanted this available to VPN clients too as the VPN is handling the authentication and encryption parts already for any remote access.

deny from all : Finally, any client that doesn’t meet the above conditions will be denied access.

public lan
Old-school HTTP directory listing

Okay, now the two elephants in the room, and all the technical babble.  First is the lack of encryption.  Ultimately I determined that this wasn’t necessary, as any file access would be strictly over the LAN.  If there are untrusted devices on my primary network, then I have bigger problems to deal with.  Also, I can’t service HTTPS without a domain name being used for the connection, since no Certificate Authority will issue a valid TLS certificate to a private IP address, so I’d have to use a certificate that won’t pass a browser’s domain name validation–in itself not a problem, but then it warns the client of a potential security risk, which the client may not understand, thus inciting panic and undermining the entire point of this project–seamless ease of use.  Also, as mentioned before, any remote access will be tunneled through a VPN, so any data that makes it to the outside web will be encrypted anyway.  Second, domain name validation isn’t possible for the above reason, but also because I can’t access this directory via the domain name anyway (okay, I can, but only by local IP–VPN clients still perform a DNS lookup for the host IP, making the client appear to the server that it’s outside the LAN), or the server will see the request coming from the WAN IP, and not the LAN IP.  Therefore, it will block the request.  I could add the WAN IP to the whitelist, but it’s not static and if it ever changes I’ll have to update the .htaccess file again.  Also the authentication side of domain name validation is moot while accessing via LAN IP, as it won’t be feasibly faked unless some rogue device is attempting ARP spoofing–again something which, if happening, means I have bigger problems to deal with.  Whew, done.

Obviously this isn’t high-end security, but it’s reasonably effective.  I wouldn’t use this method to conduct crime, but if I need to say, give a somewhat sensitive file to a guest and it’s too big to email, and I don’t want that file publicly accessible, then this is a pretty good solution.  Keep your data safe!

–Simon

Spam and Botnets

Remember those days of Nigerian princes and overseas lotteries?  The ones who just needed a little bit of financial assistance, who would reward you in turn for your efforts with profit a hundred fold?  Or the cheap Viagra?  Or the young Asian girls who want to meet just you?

Nigerial Lottery
This image isn’t racist, is it?

I’d like to sigh nostalgically and say “Those were the days” except, apparently these are still those days.  Something on the Internet has survived multiple decades.  Go figure.

I run my own email server, and in so doing, need to open certain ports in order to receive email.  One of these ports is port 25–the Simple Mail Transfer Protocol port.  In other words, it’s the default port upon which email moves.  Now, in order to receive most email, I have to open this port, even though I don’t generally use it for my own purposes, preferring newer TLS-by-default port 465, among others.  Technological details aside, I only have port 25 open by necessity, and I don’t use it myself.

But, because it’s universal, botnets continually scan the Internet for servers with this port open.  With modern computational power, it takes a surprisingly short amount of time to scan all the available IPv4 address space.  Consequently, I’m regularly identified as a host with open port 25.

What does this mean?  Generally nothing, except these automated botnets hope that I haven’t bothered to take basic precautions.  Upon seeing the open port, the botnet then attempts to log in, using various default credentials (e.g. Admin, User, root).  Very quickly they move on, but still, I find this irritating.

Unfortunately there isn’t much I can do about it, other than blacklisting by default all non-US IP addresses (and any countries to which I’m aware family is currently traveling), and any IP address which previously failed to log in.  But, there are still a lot of IP addresses.  And with no recourse, I decided to vent my frustrations by posting a list of offenders.  It is worth a moment to do a Whois and find their geographical regions, if nothing else.  And if one of these is you, it’s time for a malware scan:

198.12.93.218
198.23.132.250
205.234.153.210
5.39.219.214
46.166.160.153
193.189.117.88
155.133.18.178
23.95.24.162
46.105.120.50
151.80.147.113
212.129.4.178
151.80.147.144
38.87.45.116
52.22.59.41
209.95.52.130
80.11.96.236
166.176.251.239
195.154.116.169
96.43.128.14
195.154.119.141
195.154.105.115
50.116.123.186
104.238.129.26
118.193.179.177
195.154.110.230
122.224.248.250
203.171.31.60
31.170.104.245
220.244.5.154
111.204.219.197
175.100.189.174
111.68.98.136
180.250.9.52
177.39.152.250
59.127.51.128
184.74.44.51
173.189.252.21
50.252.84.9
70.15.249.139
173.164.154.100
69.199.239.200
63.223.116.37
173.13.117.142
71.10.87.50
23.246.213.202
104.238.141.153
104.168.145.83
51.255.235.154
104.168.141.86
107.179.40.46
45.76.81.226
23.254.215.249
46.218.164.132
96.255.34.171
138.197.1.145
195.154.103.205
195.154.77.202
62.210.25.5
74.113.139.17
23.254.211.205
176.183.204.200
65.245.57.3
192.86.34.108
45.32.203.111
144.217.213.132
66.194.234.110
207.118.200.111
185.81.158.149

–Simon