Malicious Users in Analog web stats

Blocking aggressive Chinese crawlers/scrapers/bots

Over the last few days I’ve had a massive increase in traffic from Chinese data centres & ISPs. The traffic has been relentless & the CPU usage on my server kept spiking enough to cause a fault in my cPanel hosting. I’m on a great hosting package with UKHOST4U and the server is fast & stable, but it is shared with a few other websites. This means that I couldn’t just blanket ban Chinese IP ranges. Even though we don’t sell our products in China, it seemed like a very heavy-handed approach, and to block via .htaccess with the entire range of Chinese IP addresses was causing a 2-3 second delay in page parsing (pages normally load in around 600ms). Read More....

Cory Doctrow Webstock 15

Cory Doctrow sets out the future of the internet & ‘smart’ devices – recommended watch from Webstock 15

I’ve been a huge fan of Cory Doctrow for a while now. With regular appearences on 2600’s Off The Hook radio show, not to mention his work for the EFF, he is well known in internet circles.

This video is over an hour long, but goes a long way to explain the direction in which our technology (and the companies who run them) are going. If we leave it to the quasi-monopoly companies we have already, we are in for a rough ride. Recommended for any internet user, especially those with a penchant for smart home devices (he outlines some good real world hacks, including hacking a pacemaker). A great advocation for ignoring all of the apps & walled gardens & returning to the open internet. Read More....

Net Neutrality is dying – but not in the way you might think

Net Neutrality is defined as “the principle that Internet service providers and governments regulating the Internet should treat all data on the Internet the same, not discriminating or charging differentially by user, content, website, platform, application, type of attached equipment, or mode of communication”. While many attacks have been made on Net Neutrality by large corporations, including trying to create a two tier internet & ISP’s slowing the traffic of competing streaming services, on the whole the basic definition of Net Neutrality has remained unscathed. However the definition of net neutrality may just be out of date.

As I see it, net neutrality is already dead. While it may be possible for anyone to create a website or web content & share it with the rest of the world, we have reached a point where a handful of gatekeepers restrict access to that content through their ubiquity & their algorithms.

Take my website for example. The vast majority of my traffic, more than 90%, now comes from google organic search. Only 5 or 6 years ago I would receive traffic from MSN (now bing), Yahoo, AOL, Ask and a plethora of other search engines. I would get hits from DMOZ and other directory sites & I would get lots of links from other blogs and websites.

Today, the majority comes from Google. Google has become the defacto search engine & this is a direct challenge to Net Neutrality. For one, algorithms cater all of your searches to you. This may sound wonderful, but it creates millions of separate filter bubbles. Before google made the algorithm changes that catered search results based on your own activity, a website would climb the ranks based on real world popularity. If you had an amazing blog post or popular webpage it would be promoted up the rankings for all users, regardless of their own browsing habits. This produced a genuine meritocracy in search & every website had its chance to shine, given the content was good.

A few years back, content was ranked based on how many other people linked to it & how authoritative it was deemed. This system could be gamed, but on the whole it worked very well. Around 2012 Google started to make changes. Probably due to the introduction of the Chrome web browser, Android phones and chrome books. Users started to integrate their online lives with Google. A google account was required for Youtube & Gmail and a whole host of their services. At this point, google had the perfect way to start slurping up all of your browsing data, all of your email contents, your google+ posts, your hangouts & messages. This allowed for specific catering of search results & pretty much ended authoritative content on google. This shift to locking users into google services was the first step of the major tech companies in shutting down net neutrality in a new way. It’s no good having great content if Google deems it of no use. This could have huge implications. Think political, social and corporate interests.

Google have made themselves the internet (and not just google, between google, facebook, twitter, instagram & spotify there isn’t any room for competition). By making themselves the first port of call for most web users, they have become the gate keepers. The judges of quality, the architects of our information.

This problem is further compounded by Google’s advertising model. My browser is very secure, I use Ghostery, Adblock & Privacy Badger to block as many trackers & adverts as possible. My search looks very different to that of most regular users, see the screenshots below.

Google with adblock
Google with adblock
Google without adblock - above the fold
Google without adblock – above the fold
Google without adblock - below the fold
Google without adblock – below the fold

As you can see from the above example, searching for badges on Google, in the top screenshot I’m given search results which aren’t filtered by any factors such as my browsing history, location or email contents. This is as close to how google used to work as possible. Without tailoring of my search results I’m mostly given the most relevant and best websites. This doesn’t take into account any blocking from search results google may have done of perfectly relevant content that has been deemed algorithmically unacceptable.

Now the bottom two screenshots tell a different story. That’s how my search looks when I’m logged into google & my ad blockers are turned off. They are hijacked considerably by advertising. Paid links. Most of the content above the fold is advertising content & is given more prominence through styling. It urges a user to click the content. This is not democratic. The more you can pay, the more you can sap search traffic towards content which may be incorrect, irrelevant or misleading. If you have the money, you can top all search results.

It’s the same below the fold, the bottom of the page is full of advertising and noise, the actual search results get lost amongst the noise. This is another way in which net neutrality is being destroyed. My search here is pretty mundane, just searching for badges in the UK, but imagine it was on searches such as climate change, political campaigns or even denial of events. If you had the bank roll & the manpower, you could top all relevant search results & influence a large part of the debate. Given that Google is now the defacto search engine, you could literally get any story in front of everyone searching a topic. The ability to shape or re-write history is yours if you can afford it. This will have profound effects on politics. We have already seen the power of the internet in politics both in the UK & USA and this will only get worse as people discover the power of the internet, not only to influence, but to avoid scrutiny.

I personally use startpage and duck duck go to search. It is not as convenient as being logged into a google account, but I know the results aren’t tailored & that my search history isn’t shaping my view of the internet. I recommend you all consider spreading your search wings & find less intrusive search engines.

Moving on to social media, if it’s photos you are sharing, you probably use Instagram (Facebook), if it’s instant messaging & text messaging, it’s probably whatsapp (Facebook) or Facebook messenger. If you want to share personal thoughts with close friends & family it’s probably Facebook you are using, and for more generic less personal sharing or professional social media use you probably use twitter. For your video watching, you probably use Youtube (google) & for music, no doubt it’s spotify.

You can see the issue here, nearly all of our online lives are controlled by a few companies. It is they who decide what we are allowed to see & they who take payment to promote the websites & views of those with the most money. You probably spend the majority of your time flitting between services owned by Facebook, Google & Twitter. This leads to a serious erosion of net neutrality as you are only exposed on the internet to content they see fit & proper (of course unless money is involved, in which case you can buy as many users eyeballs as your funds will allow).

Facebook is a company I have now distanced myself from. I have an empty profile on there & have even blocked access to Facebook urls in my hosts file on my computers. Facebook is the worst example of both data mining of users data & the filter bubble effect. Facebook wants to keep you online & on their platform, be it via a web browser or app. The Facebook feed used to be a basic set of status updates, you could visit & spend 10 minutes catching up with friends & sharing photos. It was a pretty benign service. I now see it as a serious threat to the open internet. Your Facebook feed is now a never-ending, algorithmically generated quagmire of information, all tailored specifically to you. If Facebook knows you are interested in something, it will show you more of that. Lots more of that. It’s almost impossible to finish using Facebook. All of your likes, all of your comments and all of your activity go towards building a picture of you. They profile every user & compare you to other users. Content other users similar to you like is shown to you. Your bubble becomes smaller and smaller until everybody is exposed only to information which they relate too.

This tailoring of information may sound wonderful if your interest is in something innocent, say kittens or coastal walks, but imagine if your interests are a little more serious. We saw in the UK how Facebook essentially split the country in half. Those of us on the Pro EU side & those on the Anti EU side. Each group were shown more & more information which reinforced their own view, while never being shown the other sides of the argument. This isn’t debate, it’s the reinforcement of divisions in society, the reinforcement of prejudices and without neutrality it has got way out of hand. I stopped using Facebook shortly after Jun 2016 after reading more & more about their algorithms & the filter bubbles they create.

As a web developer I can see the engineering thinking behind these algorithms. As feats of engineering they are superb & very accurate, however as someone who studied Web Development in a humanities department back in 2005 I can see that applying only engineering thinking to social platforms is a recipe for disaster. I believe that the referendum in the UK was extra devastating because of social media. Both sides, from what they could glean from their Facebook pages, thought they couldn’t lose. All of the information they received via Facebook reinforced their own views without ever challenging them. That is not a debate & with such algorithms it will only drive deeper divisions between every niche community in the world. With a referendum or a vote, chances are one side will always lose. It’s the whole point of putting things to a vote, but social media reinforced to both sides that their argument was beyond question to such an extent that the devastation was even greater for the losing side. And it spills out & has real world effects in society.

As I was saying earlier, I learned Web Development very early on. Back then it wasn’t really a thing & my degree route was actually called Web Content Management. We did web design & development, but we also did internet law, internet infrastructure, information architecture & information retrieval. We studied web accessibility for disabled users and a whole host of humanities focused modules alongside the technical modules. This gave me a great oversight of the internet, not just from an engineering standpoint but also that of a user & society in general. Back then, you didn’t google for things, you searched. Youtube didn’t exist, bandwidth was expensive & videos online kept to a minimum. It was much easier to read genuine fresh content, to learn new things & discover new ideas & ways of thinking. Back then it was a neutral place. Discussions were done on IRC or over instant messaging clients. They didn’t take place in public. Tweets didn’t exist & certainly wouldn’t have been used as authoritative quotes in the media. News wasn’t broken, it was triple checked, confirmed, edited and then published. We didn’t use personal information, we used nicknames or handles. We didn’t share private or identifying information. The net was a better place.

If you wanted to publish ideas, you first had to learn a bit about the internet, almost like getting a license to drive. We had netiquette (if you used ALL CAPS you where very angry). If you wanted to write to your MP, you had to write or email, not just shout abuse at them on twitter.

The internet will always have bias as long as engineers are programming the algorithms, but any tailoring based on your own interests introduces another layer of bias which is not healthy. If you think of a traditional library such as a university library, you would go to the shelves housing the subject you where interested in & every single book on those shelves would carry equal weight. Your selection would be based on reviewing a sample of books & choosing the most relevant. Search engines have taken this away from information retrieval as searches are first skewed by paid advertising, then by algorithms & finally by a users search profile. If you are constantly being shown things you are familiar with and never any variation, you will never develop a rounded knowledge of any subject. Imagine walking into a library & there being salesman pushing their books at you, shouting for your attention, it just wouldn’t happen.

I fear for the future of the internet if more people move towards these major tech players. The underlying technology of the internet will probably remain neutral, but if all the portals people use to access the internet are controlled by the likes of Facebook & Google, people will only ever be exposed to the content that is deemed fit. This could lead to major headaches for all democracies. Online electioneering is already beginning, the billionaires are bankrolling the politicians & secretly funding campaigns. They are creating misinformation & fake news is now a thing. They are mining vast quantities of data from social media & targeting users in extremely precise ways online. This funding is known as dark money & as it’s impossible to keep a track of online ad spending it introduces the ability to win elections by buying influence with unlimited spending. All of this information is ours to give, and modern web users give it freely. That needs to change. Consider your privacy, do you want pictures of your children appearing in advertising because in the terms & conditions you agreed to it states that all content becomes the property of Facebook? I know I wouldn’t!

So consider your web usage. If a website requires you to sign-up to browse, look for another service. Try some of the different search engines, they may be slightly less convenient, but your privacy is worth much more to you. If you use a Gmail or Hotmail account, remember that your emails are being scanned & used to cater your search results. Always log out of social media & google when not using them. Consider a service such as Proton mail or self hosted email. Don’t put your most intimate details onto Facebook & twitter. The moment you upload that content you lose control of it. Remember, these services make money from your clicks, they are designed to hold your attention and keep you on their websites. Be careful what you click ‘like’ on. Don’t help them market to you.

Install ghostery to stop these companies tracking your movements around the internet. Don’t rely on Facebook & Twiter for all of your news and facts. Anything that uses an algorithm will never give you balance & will only divide people further.

I intend to write more on this subject. I’ll address different areas one at a time, but hopefully this post will at least get you thinking. There is a world of wonderful & informative information out there on the Web, don’t let Google & Facebook hide it from you.

Whatsapp end to end encryption

End to End encryption – The reasons we can’t just outlaw encryption for all.

Over the past few days in the UK there has been a renewed sense of urgency within government to address & ban/circumvent end to end encryption in communications apps. On Wednesday of last week in the UK an attack was launched on Westminster. During the subsequent investigation it has come to light that the attacker used the WhatsApp messaging app to message a friend or accomplice minutes before the attack. The government’s response to this, perhaps with the best of intentions, is to outlaw or circumvent encryption for the purposes of law enforcement. The reasoning, to stop criminals using platforms to co-ordinate is commendable, however it is totally unworkable. encryption’s raison d’etre is to make interception by a third-party as difficult as possible, if not impossible.

It would be wonderful if the government could figure out a way to allow complete privacy between citizens for all of the personal communications, whilst being able to listen in on the bad guys, but the two aims are mutually exclusive. We have to pick one side or the other, either all of our communications are un-encrypted & able to be read by anyone, or we admit that for the good of the privacy of billions of people, encryption is a must. It’s ethically tough to defend encryption amidst a criminal investigation, especially one as sensitive as an act of terror, however the privacy of millions of UK citizens cannot be surrendered for the sake of a few fringe elements of our society.

If encryption was to be removed from the likes of Whatsapp, iMessage, Facetime and a whole host of messaging apps, people would lose trust in the platforms. Imagine, for example having a video message with your children & not knowing if a third-party was watching your live video stream, making recordings or notes & redistributing them online. Imagine the same party intercepts something intimate, a private exchange between lovers or a chat of confidential nature such as discussing finances. If this video was intercepted it could be used to extort those involved with the threat of publishing said private material in a public place online.

As the internet of things becomes a major industry, consider the implications of an IoT without encryption. Your neighbour accessing your thermostat and turning your heating on while at work to cost you money. A sexual predator using an internet or wi-fi connected video baby monitor to watch & talk to your child in their bedroom. A stalker connecting remotely to your home CCTV system. The list of problems & threats is huge & encryption means that such data can pass over the internet from your home to your device, without any man in the middle or third parties accessing the feeds. This kind of stuff needs discussing to balance the governments insistence on having access to everything.

Imagine you send a photo of your children to a family member, and those photos are intercepted & distributed online among child abusers – the very thought would send chills down your spine & invoke outrage. We trust that information between each other is secure & that no third parties can listen in, including governments. There are thousands of strong arguments in favour of strong encryption & very few strong arguments against.

Another method of interception being discussed freely by MP’s such as Amber Rudd is that of requiring manufacturers of hardware & applications to include back doors into their encrypted apps. This would hopefully give governments free access to accounts while limiting the exposure of  personal information to eavesdroppers and criminals. However a back door into an encrypted system essentially nullifies encryption. If your communications are safe until such a time when someone comes along and reads them through a back door, they aren’t safe at all. Developers spend countless hours securing code & systems against such vulnerabilities, to write one in by default & just bide your time until a criminal cracker (note I’m not using the often incorrect term used by the media of hacker, completely different beast) or questionable regime expose the weakness and they too start reading messages would be madness.

Now, picture the scene. The government of the UK has legislated to require a back door into all hardware & all software which employs encryption. They believe this gives them an edge over criminals & allows intelligence services to track certain individuals. What they haven’t realised is that a third-party government has employed a group of crackers to find & breach these back doors. For months, the emails, text messages sent via iMessage or Whatsapp, the video conferences over Cisco or Facetime, the encrypted VPN’s allowing them to connect to their place of work in Whitehall on the go (I’m assuming they have some sort of encrypted tunnel, I could be wrong) have all been cracked & the contents of all of those communications have been captured. The foreign governments now have intimate knowledge of the inner workings of our democracy. We are exposed & vulnerable & the misinformed MP’s and public via tabloid witch hunts all supported the legislation of back doors. There would be a scramble to find out what had been breached, information would be used against the UK & distributed amongst criminals & foreign governments. We would be facing a leak of monumental proportions & all because we enforced the introduction of a weak spot via a back door. A way around that would be a two tier system where government employees are allowed encryption without back doors while the general public aren’t, but this would be a serious ethical issue in any democracy. It would also leave the public exposed.

I admit, that is an extreme example, but encryption is an all or nothing kind of thing. You wouldn’t, for instance, be happy to give a copy of your house keys to the government so they could pop in whenever they liked to check everything was in order. You wouldn’t allow them to just have a quick read of all of your post before it came to you, just to make sure you where a good citizen. How about someone in a trench coat sitting with you over a romantic dinner to make sure conversation was all to their liking? That would be preposterous, but when it comes to tech, ministers lag behind in a big way.

Let’s use an analogy for the back door in encryption software. Every house in Britain, for securities sake, has to be fitted with a secret door around the back of the house. Only the government would know exactly where it was, just in case they wanted to pop in now and then, but it would be common knowledge that everyone had a secret back door (no puns or innuendo please) which was unlocked and ready to use, if you could just find it. Can you imagine such a use case for that? But the same ministers push for either an end to encrypted communications or at least a way in. My advice to them would be to consult someone with a grasp of technology before coming out on live TV and making statements which are either impossible or unworkable.

MP’s are always banging on (I’m a Northerner, sometimes I like to write with an accent) about making Britain the tech capital of the world. With innovation it could be the next huge export. But with such a simplistic grasp of the basics of tech, it’s hard to imagine how these same people can legislate towards this mecca of a country for innovation. If encryption is outlawed in the UK, our apps will be useless to a worldwide market, the products we produce will be insecure & undesirable. Our ability to harness the power of e-commerce & online finance will be impossible without stronger & stronger encryption. Any watering down of encryption & vilification by MP’s and the press will only make such innovation harder if not impossible.

This website uses encryption via a HTTPS certificate. That means that anyone watching, other than my server & your browser, will only see the metadata of you viewing my website. They will see the time you connected and the top level domain, but not the individual pages you load. Chances are, you have checked your online banking today via an app or your banks website. Good news, those connections are encrypted too. You’ve probably signed into websites today, over encrypted connections and safe in the knowledge that your passwords with that website are hashed & encrypted, so any data dumps or site hacks won’t reveal your password.

Encryption is a fundamental of privacy & guaranteed privacy is the only way that the internet can work for private or transactional data. If you thought your texts where being read, you would seldom say anything which needed to remain private. If logging into your bank meant others could intercept your traffic and access your bank account online, you would never use internet banking. This is where the rhetoric of MP’s without a basic working knowledge collides with the realities of passing data over public networks. If you wanted to tell someone something in secret or confidence, face to face, you would generally meet somewhere with a closing door & without others present. The only way to simulate this kind of data transfer online (over a public network like the internet) is to encrypt the traffic, otherwise it’s the equivalent of shouting your bank card details and billing address across a crowded pub. You wouldn’t do it for fear of someone making a note.

The final issue we need to deal with is retention of data. Since the introduction of the IP Bill a requirement is coming into force that ISP’s and providers need to retain data on their users. Logs & metadata. Without encryption, this could be expanded to keeping a copy of all files you upload to the cloud, a recording of all voice and video chats, retention of all personal instant message chats and countless other data sets. As much as companies try to safeguard this data, eventually they will face a data breach. This could be an external hack or it could be a breach from within such as an employee breaching their privileges and accessing or leaking your data. This kind of breach could expose so many data points & so much personal information about you that your privacy could be breached indefinitely. If someone gains access to your most intimate information, you could potentially face a lifetime of identity theft and frauds in your name. I would hope that any data retained would be encrypted & protected with as much security as possible, but the best defence would be to not require any logging of data. Once it has been deleted or the transaction has taken place, the data expires and its erased. This does prove to be an obstacle for law enforcement, but the security of millions of citizens intimate lives needs to be considered when trying to stop a handful of criminals.

The conundrum faced by politicians is not an easy one, but they need to seek advice from those with the technical skills to educate them. A reactionary “we must tackle” or “we must ban encryption” isn’t a reasoned argument. Criminals use all sorts of tools that regular citizens use. They drive cars, they cook with knives – this means they have the tools required to harm fellow humans. The solution isn’t to ban everything, but to develop tools that can be used to detect. Behavioural patterns, anonymous tip offs, education of the general public – not the removal of all citizens rights to a private life.

Encryption will be the scape goat for a lot of government & tabloid problems, but ultimately without it, we revert to the pre-internet days of filling in forms and transacting face to face. Without the ability to secure over a public network, the internet is nothing more than a public library of information. I’m an academic. I research internet security for my studies & also out of personal interest (I know, my hobbies sound really boring). The discussion around privacy in the UK needs to change. It’s not about having something to hide, it’s the freedom to express yourself and communicate without the fear of someone else reading or hearing your conversations. I believe everyone would see that as a basic right & one that needs protecting.

Let me know your views in the comments. I would love to hear from you. Also, send me any corrections, I’m sure there will be a few. I’ve written this all in one sitting to address concerns brought up by people asking me questions today, following the press coverage, so excuse any errors.

openPGP decrypted email

PGP encrypted emails on Mac OS X/Sierra using GPGtools GPGsuite

As part of my cybersecurity posts I’ve decided to write briefly about PGP (Pretty Good Privacy) encryption of email. We will use GPG which stands for GNU Privacy Guard and is a compatible free software equivalent of Symantec’s proprietary encryption algorithm. Both PGP and GPG are interchangeable so you can use either protocol. These keys use a high level of encryption. I Use RSA 4096 for my keys which is possibly a little overkill, but I like to future proof when learning.

GPG is important for emails as it means that an email remains encrypted between the sender & the receiver. It works on the principle of key pairs. Each user generates a pair of keys, one private key remains secret and on the user’s computer, the other, known as a public key is free to distribute on the internet and allows you to pass it on to those you wish to communicate with.

It is important that your private (secret) key always remains private & you never share it with anyone. The keys are paired so that both are required to encrypt & decrypt emails. I won’t go into the technicals of it, if you are interested there are a lot of free resources which will guide you through the technology.

Encryption also requires a password to be set when creating your key pair. This password allows you to unlock your keys & use them to encrypt your email. Both sender & receiver need to set up a keypair & share their public keys with each other. This allows encrypted communication between both parties.

On OSX/ OS Sierra you can use the free & open source GPG Suite to install the tools required to start encrypting email. The suite includes the GPG keychain which allows you to create your key-pair for your email address, and it also allows you to store the public keys of your recipients & to upload your public keys to public key servers. It allows you to manage & store your keys.

Also in GPG suite you have GPG mail which integrates with the native mac mail client. Much of the encryption process is automated once you setup your keypair, including downloading the keys of recipients you address your emails to. You can also sign your emails with GPG Mail which confirms your email as authentic to the recipient.

First, install GPGsuite using the .DMG file available on their website. If you are using Sierra or require cutting edge enhancements, opt for the beta package.

Once installed you will have an extra option in your settings preference pane called GPG Preferences. This allows you to set your GPG preferences, such as update checking and the public keyserver you would like to use. Most people can just leave this set with the default values.

GPGpreferences icon in your Mac OS settings
GPGpreferences icon in your Mac OS settings
GPG Preferences pane
GPG Preferences pane

The first thing you will want to set up are your keypairs. Make sure you have added the email account you want to start using with encryption as one of your Mac Mail accounts. If you use a free account such as Gmail you can still add it to your Mac Mail software & encrypt emails using that account.

Next, head to your applications folder & select the newly installed GPG keychain application. Open the application and click New in the top left corner. You will be presented with the following screen, showing you your Mac Mail email addresses. In these settings, select the email account you would like to use with GPG encryption, select the box to upload your public key (makes it much easier for people to correspond with you) and enter your passphrase.

The passphrase is a vital part of your encryption as it unlocks your keypair for use. Make sure it is a strong password & one you can remember. Also, my advice is to use a password you only use for encryption. This password is never for use with any online services such as websites. A single hack of any of those sites could reveal your password, so encryption passwords are only for local use.

Once you are happy with your passphrase, click generate key. Your GPG key pair will be generated & public key uploaded to they keyservers.

Setting up a GPG keypair in OSX using GPGsuite
Setting up a GPG keypair in OSX using GPGsuite

You should then see your newly created key within GPG Keychain. You are now good to start creating encrypted emails.

My GPG Keychain.
My GPG Keychain.

My advice, if you are going to start encrypting emails between friends, family or colleagues is to first send them an email with your public key attached. This way, they can import it into their keychain to allow them to email you. They can also send you theirs back. This isn’t a requirement if you have both uploaded them to a keyserver, but it’s always a good idea before you start encrypting communications between you. It’s also a friendly way to allow the other party to know that you want to encrypt your emails & to expect future emails to be encrypted.

Now, fire up Mac Mail and compose a new email, you will see a new OpenPGP option in the top right of your compose window. This will be green if using an email account for which you have created a keypair & will be greyed out if composing from an account without a keypair. In the screenshot below I’m emailing between my own account & my unused gmail account which also has a keypair. As you can see the OpenPGP button is green which means a keypair is present & I can encrypt on this account.

OpenPGP options in Mac Mail
OpenPGP options in Mac Mail

You will also see in the above screenshot the two blue icons. They are blue if they are enabled, but are greyed out if either a public key isn’t present for your recipient or you have opted not to encrypt. If you do have a public key for your recipient in your GPG Keychain you can activate one or both of these buttons. The left one which is a padlock is your encryption button, the right one is your GPG signature to securely sign your email. If sending to someone with whom you have a public key, I would always sign & encrypt.

Once you are setup, emailing is just as straightforward as before. Write your message, your subject and add any attachments you would like. Note that only the body of the email is encrypted, the subject line is not so be careful what you use there as it is publicly viewable. Once you are ready you can hit send, at this point you will be given an OpenGPG prompt for your pass phrase. This is your encryption pass phrase which you setup at the time of creating your key pair. This password will be required every time you encrypt or decrypt an email. You can opt to save the pass phrase in your keychain but I would advise against that. The whole point of encryption is to make email for your eyes only (and your recipient of course) so keep the passphrase to yourself & commit it to memory. It’s just good practice.

Enter your OpenPGP passphrase to encrypt & decrypt emails
Enter your OpenPGP passphrase to encrypt & decrypt emails

The last part of the puzzle is decrypting email. Below is a screenshot I took of the email I just sent between my two accounts. When opening the email you will be asked for your encryption passphrase, this is to unlock your own keypair to decrypt the email. You will see from the screenshot that the email looks like any other, with the exception that it has signature and encryption details. The padlock shows that the email is encrypted.

openPGP decrypted email
openPGP decrypted email

If you follow these steps you will ensure any correspondence sent between you & your friends/family can’t be read by any third-party. This means that if your email account is hacked, the contents of your messages remain private. Perfect for family photos, private information and general personal chatter. It also means that companies such as google can’t read your emails for advertising & data collection purposes. The message remains scrambled with encryption across the whole internet, no matter who intercepts it.

Once you get used to this process it will become second nature. I like the ‘at rest’ security of encrypted emails. I’m less worried about personal emails being hacked or stolen in a data grab. If my server is compromised, my emails are not. I also like the fact that using a completely unique password for my encryption means that my encryption password is never in the wild online. I’ve committed a complex password to memory & I’m not likely to forget it after typing it so many times.

No security is perfect, but this is by far the biggest bang for your buck with regards securing your communications on a day-to-day basis.

You must keep your key pair secure. You can back them up using GPG keychain, both your public & private key, but you must keep them safe. Never put your secret (private) key online or into cloud storage. If you ever lose control of your keypair, someone could pose as you and send emails masquerading as you, not to mention decrypt emails if they guess your passphrase. GPG Keychain has the ability to revoke keys if you feel they have been compromised. You can then generate a new keypair & upload to keyservers as required.

This is just a brief outline of how to get started with OpenPGP using GPGSuite. If you would like to know more, you can read up online. A good starting point is the GPGtools site itself.

If you would like to send your first encrypted email, drop me a message at john AT johnlarge.co.uk using my public key which you can retrieve from the keyservers or download by clicking here. If you want to add to this post or correct please do let me know, like my other cybersecurity posts I’ve kept it as simple and non technical as possible to make it accessible. The post will evolve over time.

Insulation Tape over webcam

Apple Cybersecurity basics – Securing your hardware

I’ve been planning on writing a series of posts on cybersecurity for a while now. I’ve been interested in computer security for decades & have always tried to secure my machines, data & online profiles. In the modern computing landscape, many aspects of basic cybersecurity have been lost. When I started out online, perhaps in the early 90’s, there was a strong culture of using online handles as opposed to your own personal details. We had an awareness that the internet was a public sphere which is universally accessible.

The internet is a public place, but it is also a place where you can’t control data flows. As soon as you upload information or data to the internet, you need to assume it is now on public record. Even if you believe your account is private and secure, there is a good chance that at some point, the data will be used, resold or even hacked & released into the wild. If you approach the internet with this in mind it is very easy to secure your information. I’ll come to internet security later, but let’s start with your hardware itself.

I personally have a lot of computers. I have two Macbook Pro’s and an iMac, I also have Raspberry Pi’s running various versions of Linux & also an old IBM Thinkpad X200 running Trisquel Linux. All of these machines use full disk encryption.

With apple products, make sure your software is up to date. All of my machines run OS Sierra which is a free upgrade. Sierra has a very good version of full disk encryption known as Filevault 2. Filevault 2 allows you to encrypt the entire contents of your hard drive with a password. This means that without the password, the contents of the Hard Drive can’t be read by a third-party. File Vault requires the disk password as soon as you start your machine, so anyone who steals your hardware will be unable to boot your machine to access information & also unable to wipe the hard drive to reinstall the OS on your hard drive. This is vital in case of loss or theft of your devices. We store so much personal information on our devices & their security is as important as securing your own home. Perhaps more important.

The same goes for iPhones. Make sure you use a strong passcode or passphrase to secure your device & consider not using fingerprint access. Your fingerprint is very convenient, but a strong passcode is much more secure. Also, backup your iPhone or iPad to an actual computer and not to iCloud. If someone hacks your iCloud, they could clone your iPhone from one of your own backups & access your entire iOS environment.

The passwords you use should be unique & strong. You should also ensure that your encryption password is never stored or used for any online accounts. Your encryption password should be unique from any other password you use. You can choose a way of codifying your password, for instance take your favourite book (paper back or hard back) and use your birthday to select a page and a line. For instance, pick up a copy of Harry Potter, go to the page number which relates to your day of birth and then on that page go to the line number which relates to your month of birth. Use the text on that line for your password.

You can use any method to code your password, that is just a single example. Whatever you choose, make sure you have a way of reminding yourself which is not obvious. Without your encryption password your data would be lost forever.

Also, on Macs, make sure you disable any guest accounts in Settings > Users & Groups. Turn on the Firewall in Settings > Security & Privacy. This menu also contains the settings for turning on Filevault.

While in Security & Privacy, make sure you choose to require a password after sleep or screen saver. This means that if you need to leave your laptop or desktop unattended, you can put it to sleep to lock the machine or set the screen to sleep after a certain amount of idle time. These are basics steps to secure your machine but will make a vast difference to the physical security of your Mac.

Set your mac to automatically lock
Set your mac to automatically lock

With my iMac I use a Kensington lock to physically lock the machine to my desk. Make sure any external hard drives for your mac are also formatted with encryption & set your encryption password on each of them. This means if any are lost or stolen, for example your time machine backup drive, they cannot be accessed by anyone but those with the encryption password. I encrypt all media including USB flash drives. It only takes seconds to mount them & enter a password, but it does mean that your data is always much more secure. Get into the habit of encrypting & you will massively reduce your exposure to hacking & identity theft.

Something else I always do is use a small roll of black insulation tape to cover up the webcams on my laptops and desktops. You can peel it off easily if you require the webcam for facetime or skype, but most of the time I tend to leave the cameras covered. The camera can be used for spying by both governments & criminals & there have been many cases of people being recorded on their webcams & then blackmailed. For the sake of a few pence, always have a roll of insulation tape and cover your webcams. You can even colour match the tape to your black Macbook/iMac bezel.

 

Insulation Tape over webcam
Insulation Tape over webcam

With regards to securing your iPhone my main advice would be to set a fast timeout on your automatic screen lock. Never leave your phone unlocked & make sure you get into the habit of locking the screen whenever you put the device down. Also make sure under your Touch ID & passcode options in iOS settings, that you opt to require the passcode immediately & that you opt to erase the device after 10 failed attempts. This means that in the event of loss or theft, the device will likely wipe itself before anyone can get your information & identity from the device. You can also use iCloud to remotely message & wipe your Mac’s & iOS devices.

iOS Touch id & Passcode.
iOS Touch id & Passcode.

Mac’s & iOS devices now increasingly rely on cloud services to sync & store your data. Ensure that you setup two factor authentication on your iCloud account, to make sure only someone with access to one of your physical devices can login to your iCloud account. Also, be aware that if iCloud is ever hacked & the encryption keys that Apple hold are accessed, your iCloud data can be decrypted. Ensure that anything you offer up to the cloud is information which isn’t personally identifiable or potentially damaging. The cloud is ideal for mundane documents and data which isn’t specifically personal, but if it is something you want to keep private, don’t ever upload it to cloud services. I’ll cover this more in my next post regarding securing yourself online.

Finally, never give out your encryption password, it is the key to all of your data. Never use it for anything but encrypting, never use it with an online provider. If you do need to make a note of the password, codify & hide it in a way that it can’t obviously be identified as a password. Always aim to physically keep hold of your devices. It is much harder to compromise your devices if they are always in your possession.

Never give out any passwords in email or over the phone. If someone calls asking for your account details, don’t give them out or ask them for their details and phone number & offer to call them back. You can then check the number & details online & call a verified number.

Finally keep software up to date. There are zero day exploits being discovered and utilised daily. You massively decrease your attack surface if you keep software, services & devices patched & up to date.

I will add to this post as & when I think of tips to help. If you have anything to add, please let me know in the comments. There will be loads that I have missed & I expect this post will constantly evolve. I’ve also tried to keep the post as straightforward and non technical as possible. I want the basics to be adopted by everyone, so I’ve left out the in-depth discussions on things like AES & encryption bit sizes.