Saturday, October 30, 2010

Firesheep, sidejacking, and SSH Tunneling with DreamHost

In the endless spy vs spy game of net security there have been two recent setbacks for the good buys.

One is the rise of the keystroke logger. That's how I suspect my Google account was hacked from an insecure machine - a corporate laptop running XP. The best response to the keystroke logger is either to carry the 11" MacBook Air -- or to establish disposable network services for use on untrusted devices.

The other setback is the very recent emergence of trivial sidejacking.

Sidejacking is the theft of network credentials, and particularly cookies, by intercepting unencrypted WiFi network traffic. It's been a commonly recognized and widely ignored problem for about three years, but now a security researcher has decided to make ignorance impossible. He's released Firesheep (my 11yo says it should be called "Firerat") to make Sidejacking a trivial task bored kids (emphases mine. He's yelling at Facebook here.)...

... When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.
Sigh. I was hoping to ignore this problem, but now I can't. TUAW has an excellent review of our options: How to guard yourself and your Mac from Firesheep and Wi-Fi snooping. I summarize it as 3 options:
  1. Witopia VPN ($40/year for good-enough PPTP). I used them for twoyears, after I first worried about sidejacking in 2007, and they provided good service. I'm cheap though, and didn't need them that often, so I decided to wait until the sidejacking problem got worse.
  2. Various solutions that get you into your home network and let you use those presumably secure resources. Too much trouble for me, and too likely to be flaky.
  3. SSH tunneling - aka the poor man's VPN. This forces all traffic through an "SSH tunnel".

I tried Witopia VPN before and I'd recommend them (though I did have technical problems)  - but I'm feeling cheap these days. I decided to try SSH tunneling because I already pay for full service hosting through DreamHost; so I have what SSH needs.

(BTW, I love DreamHost. If you sign up with my promo code of KATEVA I get a $50 kickback and you get $50 off your 1st year fee. Today, however, they're offering $110 off -- a full year of service for $9.25. To put it mildly, this is unbeatable.)

This is how the DH wiki describes their SSH tunneling SSH Tunneling

Your Dreamhost account can be used to create a secure tunnel to circumvent firewalls that prevent access to particular websites. This isn't recommended as a replacement for a VPN or similar service, but if you need the occasional ability to reach sites that would otherwise be unreachable *or* need secure access because you are using an unsecured access point, this might be an appropriate solution for you.
SOCKS is the name of the protocol used. SSH is the name of the software used to create the tunnel. There are a number of GUI options available for Windows, Mac OS X, and *nix, but using SSH usually demands a command-line environment. This article will assume that it is installed and configured appropriately. Practically speaking, this information is not that important. You just need to know the magic incantations.
Note: This is a great temporary solution if you need to view something your ISP has blocked for unknown reasons. It should be considered a temporary solution, as it will definitely use bandwidth on your account. When you are on a shared server, it's nice not to abuse the system.

The wiki page provides some Windows instructions using Bitvise (Free!) Tunnelier, but Mac users can get by with the command line (though I will also test OS X Meerkat separately). Here's what I did at DreamHost to get the SSH tunnel working on my 10.6 machine:

  1. Using DreamHost Control Panel:Users:Manage Users confirm account has a user setup with a shell account.
  2. IN OS X Terminal type:  ssh -D 9999 jgordon@trafficante.dreamhost.com 
    • jgordon is not my true username, it's just an example
    • trafficante is my DreamHost server. Yours may be different.
    • 9999 is the port number
    • -D turns on compression
    • Some documentation says to use the N switch for non-interactive, so it would be ssh -ND 9999 jgordon@trafficante.dreamhost.com
  3. Enter this user's pw on request
  4. You now have an SSH connection.

To use this SSH connection you have to configure a proxy in OS X from the Network Preference Panel like this:

Screen shot 2010-10-30 at 7.44.42 PM.png

Of course you don't want to keep having to turn SOCKS on and off in Network Preferences depending on your settings, and you don't want to use SOCKS unnecessarily. That burdens DreamHost, and it slows your network traffic. I created a new OS X network "Location" that has the SOCKS Proxy turned on.

Also, when your done with your connection, please type "exit" in terminal to close it. That's just politeness.

Here's how you can test if the configuration is working:

  1. Change your "Location" to the one you setup with a SOCKS proxy (I call it Google DNS SOCKS).
  2. Try to open a web page. Nothing should come up, you'll get an error message.
  3. Now run the SSH command to create a connection.
  4. Retry your browser - now it should work.

I wonder if I should use a different DNS provider when I do this, currently I'm using Google DNS. For now however that seems to work.

Update: I tested Meerkat. It's a very powerful networking tool; it's not designed primarily for this problem. I can just barely follow the very sparse documentation. Really, a commercial product deserves a bit more documentation.

I think it's easier to just type the ssh command and change Location settings! If you want to try Meerkat as a sidejacking prophylactice, start with this vendor blog post. Note that in this example Meerkat uses 6666 for a proxy.

I'm going to stick with the command line and using OS X native Location settings.

See also:

Friday, October 29, 2010

Google: The Quick, the Sick and the Dead - 4th edition

It's been 4 months since the 3rd edition of Google: The Quick, the Sick and the Dead, so this edition is about two months early. It's time though -- because Google is changing fairly quickly.

Changing quickly, but not improving. In the list below I put in parens the prior QSD rating for each item and I've added a section for the official dead. I've decided to stick with only those Google products I personally use, so I've omitted Android.

Comments below.

The Quick (Q)
  • Google Scholar (Q)
  • Gmail (Q)
  • Chrome browser (Q)
  • Picasa Web Albums (Q)
  • Calendar (Q)
  • Maps and Earth (Q)
  • News (Q)
  • Google Docs (Q)
  • Google Voice (S)
The Sick (S)
  • Google Search (Q)
  • Google Reader (Q)
  • Google’s Data Liberation Front (Q)
  • Translate (Q)
  • Custom search engines (Q)
  • Books  (Q)
  • YouTube (Q)
  • Google Apps (Q)
  • Google Profile (S)
  • Google Contacts (S)
  • Google Mobile Sync (S)
  • Google Video Chat (S)
  • Google Checkout (S)
  • Orkut (S)
  • iGoogle (S)
  • Gmail Tasks (D)
The Walking Dead (D)
  • Chrome OS (S)
  • Buzz (S)
  • Blogger (D)
  • Google Groups (D)
  • Google Sites (D)
  • Google Base (D)
  • Knol (D)
  • Firefox/IE toolbars (D)
  • Google Talk (D)
  • Google Parental Controls (D)
The Officially Dead - since last edition
  • Google Desktop (D)
  • Google Wave (D)

Since the last edition there have been three escapes from Walking Dead. Two products are now officially dead and Gmail Tasks has been promoted to merely Sick (still uninteresting). There's been one promotion from Sick to Quick - Google Voice.

Seven products have moved from Quick to Sick - including Search. That's a big one. Google suggest is fun, but Google is losing the splog wars. Too many of the results I get back are splog noise. I love Reader, but the Notes/Comments silliness has to mark it as Sick. I also love the Data Liberation Front, but they're not getting traction any more. I suspect they've lost funding. Translate hasn't made progress on the non-Euro languages, so it's increasingly irrelevant.

Overall, this is a grim time to be a hard core Google user. Of course I don't use Android, and Android gets a lot of press. I wonder, however, given the rest of Google's recent record, how solid Android really is.

I wonder if this performance is ever going to show up in Google's  share price.

Thursday, October 28, 2010

The iPhoto 11 (v9.0) data loss bug: permissions again

The killer data loss bug in iPhoto 11 is ... wait for it ... Permissions related:
iPhoto 11: Avoid possible data loss - Mac OS X Hints

A possible bug in the upgrade process by iLife 11 causes a loss in one's library. Even more, some of the 'successful' upgraders are not even aware that they might too have lost some files!

The root of the problem lies in faulty permissions within the iPhoto Library. The solution is to fix the permissions. Repairing permissions in Disk Utility won't help because that doesn't affect user files, only installed programs with Receipts.

... Install BatChmod and run it...
Drag and Drop your iPhoto Library (usually located in your ~/Pictures folder) into the open BatChmod window. 
Change the Letters R, W and X under the Owner, Group and Everyone to a check mark. 
Also select the check mark for the following boxes: Change ownership and privileges, Clear ACLs, unlock box and Apply to enclosed folders and files.
Click Apply...
Have I mentioned I hate the OS X Permissions based security model? It's a botched implementation, and probably the worst part of using OS X. Adding the 10.6 ACL layer seems to have made a bad scene worse.

This bug is yet another example of why I never rush to install Apple products. Apple is a design company, not a quality company. They do this sort of thing routinely.

It's appalling that the installer doesn't check for permissions issues prior to installation. iPhoto has had lots of permissions related bugs in the past, and I've personally run into about a dozen permission related bugs in other parts of OS X. Apple should have tested for problems.

It's too bad there's no legal resort to pursue for these kinds of egregious quality problems.

See also:
PS. Google's blogger removed the paragraph spacing in more than half of the above articles. I hand edited each one. Blogger is proof that Google is made up of flawed humans.

Update: Apple has released the 9.01 fix.

OS X - the Dropbox, Drop Box and Public inversion mystery solved

Something weird was going on.

My 10.6 account had the old "Public" folder containing the familiar "Drop Box".

It also, however, had a "Drop Box" folder containing a Public folder! The Public folder had a document I'd never seen before ...

You can get a public link for any file in your Dropbox's Public folder.
Simply right click (or control click) on a file, click the Dropbox submenu,
and then click 'Copy public link.'

How strange. I don't remember that feature of OS X.

New feature? Inverted Public to Drop Box relationship? What's going on?

OS X hasn't really changed. There's still a "Public" folder containing a "Drop Box". The "new" folder wasn't actually another "Drop Box" -- I'd misread it. It is a "Dropbox" folder -- all one word. It was created by when I installed a cloud based file service known as Dropbox.

I'd stopped using it, and forgotten the double meaning. The folder was simply leftover. I deleted "Dropbox".

It is rather confusing ...

Wednesday, October 27, 2010

Why didn't the MacBook Air ship with USB 3?

I'm halfway to buying a MacBook Air, but I'm sticking with Gordon's rules of acquisition. I'm good with #2-#4, but working on really, really wanting it three separate times.

Thanks to the joy of a nearby Apple Store I've touched the 11". I am infected now. I verified that my 51 yo eyes can read the screen -- that was my main concern. I've also confirmed that it's no bigger than an iPad.

My decision would be easier if the Air had shipped with USB 3. That would more than compensate for the lack of Firewire or ethernet ports.

So why doesn't the lovely 11" come with USB 3? Will there be a USB 3 version out this fall?

This Wikipedia article explains ...
... Intel will not support USB 3.0 until 2011 ... These delays may be due to problems in the CMOS manufacturing process ... .... or a tactic by Intel to boost its upcoming Light Peak interface... Current AMD roadmaps indicate that the new southbridges released in the beginning of 2010 will not support USB 3.0...
This looks ominous. I'd be surprised to see USB 3 in an Apple product before mid-2011. I wouldn't be surprised if they took another path entirely.

Bottom line: USB 3 isn't ready now, isn't likely to be ready for a year, and may yet go the way of Bluetooth (basically dead).

PS. Incidentally, I tested in the Apple store. The MacBook's USB port has enough juice to charge an iPad.

Tuesday, October 26, 2010

Speeding up my sluggish XP Fusion VM

When I gave up my last XP machine, I created a VM from the disk image. It worked, but the performance was poor. My XP VM on an i5 iMac was quite a bit slower than a Windows 2000 VM on my much less powerful MacBook.

It took me a while to speed things up. I removed some custom settings for the Windows swap file and I gave the VM more cores. I upgraded my system memory that helped too; I gave the VM more RAM.

Even so, I could hear much more disk activity than I liked and file saves were often slow. I don't use the VM for much, so I took my time on fixing this.

More recently, I got some help from VMware KB: Troubleshooting Fusion virtual machine performance for disk issues.

I found the VM had inherited 35% fragmentation from the old disk (I'd also made it too large). I used XP's built in defrag to fix that. Then I ran VMWare Fusion's cleanup utility, and I flipped my VM from 2GB files to a single large file.

It's fine now; as fast as I need it to be (not much!).

Monday, October 25, 2010

Tweeting Google Reader Shares and Notes via feedburner

I've been using twitterfeed to tweet my Google Reader Shared Items for about a year (via jgordonshares now).

It's mostly worked, albeit with the limitations of Google's oddball Reader shared item feed. Recently, however, I've been concerned about Twitterfeed's understandable need to monetize their service. It's not the monetization I mind, it's that I'm a passenger wherever they go.

So I poked around a bit. I reviewed some services I'd looked at previously, including RSS Graffiti, but they didn't give me the warm fuzzies. Then I learned I could use a services I already know, Google's Feedburner, to tweet a feed ...
I configured feedburner to turn my Google Reader Generated Page feed ...
http://www.google.com/reader/public/atom/user%2F06457543619879090746%2Fstate%2Fcom.google%2Fbroadcast
into a Feedburner feed:
feed://feeds.feedburner.com/faughnanreadershares
It took several tries to get it to work. I repeatedly got an "internal error" message even when I provided the shared item web address (http://www.google.com/reader/shared/jfaughnan) and let Feedburner discover the feed. Just as I was about to give up, it worked.

The Feedburner version of the Google Shared Items feed has some interesting properties.  For example, my Reader shared item notes now appear as inline text. I can also get odd links to posted notes like this one:
http://www.google.com/reader/item/tag:google.com,2005:reader/item/4ba48c42d43b00ab
From Feedburner it was easy to link the output from this Atom feed to my jordonshares Twitter stream. I'm using the following services there ...
Optimize
- Title/description burner
- BrowserFriendly
Publicize
Socialize - Twitter
I wonder how long this will work, but for now I'm using Feedburner instead of Twitterfeed to post my Google Reader Shared items and notes to Twitter.

See also (lots of experiments!)