Instant Messengers, Encryption and Privacy

Standard

Instant Messengers, Encryption and Privacy

In this article I will try to explain in reference to privacy the differences between various instant messengers (SMS, Facebook Messenger, Whatsapp, Signal, Telegram, Threema, Tox, Briar etc) and how their application of encryption (or non-encryption) can affect your privacy.

Why is encryption important?
Generally we don’t like others to read our messages. You might say that is not important to you, because you have nothing to hide. And while this is a valid opinion it disregards, that corporations and other third parties could be interested in what you have to say, how often you say it, how much you say etc. basically analysing your behaviour. That knowledge they can use to derive a profit or influence you (and others, if they have a significant number of people’s behaviour on file). I personally also don’t do anything illegal, but I think my personal business is nobody’s business but my own. So I choose to keep my private things private as much as possible and use encryption whereever viable.

Many people don’t know, that when we send messages without encryption (like Facebook Messenger. Telegram when not using secure messages and SMS) anyone (network operators, service providers and in turn their managements and governments), through whose infratructure your message is transported, could read it. If it is encrypted they cannot read it unless they have the encryption keys.

So the encryption keys are important. In order to assess who might possibly have access to the keys and thus could read your messages we need to look at how those keys are handled, where the messages are transported and who is in charge of the messenger platform in use.

Not all messenger services are equal

SMS – your phone network provider supplies you with the ability to send and receive SMS. They may apply a weak encryption along the way, but too weak to consider this secure. So this is unsecure, which doesn’t mean it is unusable, but certainly an awareness of this suggest you shouldn’t send credit card details or any other sensitive personal data via SMS.

Facebook Messenger – Not encrypted and Facebook’s T&C even say they will read and have the right to assess and use your messages for their purposes.

Whatsapp – While one of the largest services and widely used with an excellent set of functions and is End-to-End encrypted, I have some concerns about the security. Whatsapp is not open source. So the coding cannot be independly assessed. So we have to believe, that they are not doing anything untowards with our messages.

In addtion they say the encryption keys are only on your own phone and that of the person you communicate with, the keys and all messages are still going via their servers. Also Facebook (now Meta, owner of Whatsapp) are based in the USA and could be obligated to give access to your messages to their legal system. So they must be able to do this. The easiest way is to keep your keys somewhere on their systems. We like to believe them, but they certainly have the technical ability to do otherwise. And they require your phone number. Thus making you identifyable.

Signal – A competing messenger service to Whatsapp, but it is open source and indeed an non-profit organisation. So somewhat that might instill more trust, that they will do the right thing, but they are also based in the USA. Thus the same obligation to their legal system is present. And also all keys and messages are going via their servers. They also require your phone number. Thus making you identifyable.

Telegram – Another open source messenger service. They are based in Dubai, a kingdom where the non-elected king takes an active role in governing the country. Telegram offers encrytion, but you need to select to send secure messages. The default is to send NOT secure (like SMS and Facebook Messenger). All keys and messages are also sent via their servers and a phone number is also required to sign up.

Threema – A messenger service based in Switzerland. So you would be covered by Switzerland’s stringent privacy laws. It is not free, but the once off cost of US3.00 is small. It is open source and no phone number is required for sign up. They say they are not keeping your messages, but all keys and messages are going via their servers until they are delivered to your device.

Briar – A messenger service using the Tox protocol harnessing the TOR network and not relying on a central server or needing a phone number. It can also utilise Wifi without internet connection and Bluetooth to transmit messages. “…designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate…..”. This is possibly a more convenient solution, but usually with more convenience may come less security.

Tox – A messenger service, that is open source and free, no phone number is required for sign up. So it can be totally anoymous. Since keys are truely only kept locally on your phone or computer and indeed if you want to connect with someone else on this service you would have to find your own way to give them your key so they can communicate with you. So the keys are not going through their servers. The messages are also not going via their servers, but directly from your device to the device of the person you commuicate with. Therefore they and you would have to be online at the same time in order for messages to be delivered between you. You could have the messenger software running in the background (much like all the other messenger services) and messages will be delivered and received (if your communication partner also has it runnning in the background). In addtion you can use the TOR network with the messenger, which is another layer of protection to keep your location anonymous.

I will now describe how to set up a Tox client on Android and on Windows and how to add the TOR network function to the Windows installation. There are clients for Apple MacOS, but unfortunately not for iPhone. The reason for this is possibly, that iPhone’s systems are too restrictive to add the secure Tox client.

 

 

 

 

My website is slow

Standard

Most of the time when a website appears slow it is not the website hosting server, but the internet connection you are using.

We recommend to check your site on this web site:

https://tools.pingdom.com/

You can check the speed of your website from various places around the world.

A good result here means, if there is no problem with your internet connection you should get a good speed perception.

 

Another tool to use is to check if a site just seems down for you or for everyone:

https://downforeveryoneorjustme.com/

 

Factory reset LinkSys SPA942 from handset

Standard

Please do this only if instructed by your sysadmin or you know what you are doing. THIS WILL ERASE ALL YOUR CONFIGUARTION DATA and YOUR PHONE WILL STOP WORKING. You would only want to do this if your want to completely reconfigure your phone.

  1. Press the button under the button with the envelope (the button above the lit button in this picture – may not be lit on your phone)

2. Scroll down with the bottom of the scroll key to number 14

3. Press the Select button

4. Press OK to confirm the factory reset – ALL CONFIGURATION DATA WILL BE DELTETED. YOUR PHONE WILL STOP WORKING.

5. This is what you see during the reset process.

When complete you can reconfigure the phone.

Setup pi-hole ad filter server on AWS in 2 minutes

Standard

We assume you have an AWS account (if not get one here https://aws.amazon.com/) and you know the basics on how to start an instance in AWS (https://aws.amazon.com/ec2/spot/spot-getting-started/).

  • Start an AWS server type in the region of your choice (they start at US$1 per month for spot instances. I use T3A.NANO or T4G.NANO)
  • Open the right ports in the AWS security group (TCP 80, 53, 443, 4711 and UDP 53 at least for an IPv4 server). Of course only for your own IP addresses. DO NOT OPEN THE SERVER FOR ALL. YOUR MACHINE WILL BE ADBUSED VERY QUICKLY. (Some more info)
  • Use OS: Ubuntu 20.04 LTS
  • Assign fixed IP address (Elastic IP)
  • Log into the command line interface of your new server
  • Update with
    apt -y update && apt -y upgrade && reboot
  • Run
    curl -sSL https://install.pi-hole.net | bash
  • Follow the guided installation process. Suggested settings are fine. Although I disable IPv6, because I don’t want to use it. 
  • Take note of the admin password or change it with
    pihole -a -p
  • reboot
  • Ready to go
  • Assign the fixed public IP address to your computers as a DNS server and enjoy browsing with less ads (you can tweak pihole so it is even better at blocking the right stuff, but this is not a subject for this quick guide. Read https://pi-hole.net/ )

The following is optional. You don’t need it, but I like to use my own caching name server. So I don’t have to use the public DNS servers. Reasoning for this is another discussion and I will not cover here. (see https://docs.pi-hole.net/guides/dns/unbound/ under “caching”) 

  1. Install the DNS server on your pihole server
    apt install unbound -y
  2. Edit unbound configuration
    vim /etc/unbound/unbound.conf.d/pi-hole.conf
    A new file is created. Put the following into it:

    server:
    # If no logfile is specified, syslog is used
    # logfile: “/var/log/unbound/unbound.log”
    verbosity: 0

    interface: 127.0.0.1
    port: 6236
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: “/var/lib/unbound/root.hints”

    # Trust glue only if it is within the server’s authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don’t use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10


  3. Make Named/Bind start automatically
    systemctl enable --now unbound
  4. reboot
  5. Then log into the admin interface and go to Settings / DNS and add this:

    Disable the other public DNS services. So you only use your own Caching DNS and click save. 
  6. Ready to go. 
  7. If you have a backup from a previous installation you can now go to the GUI / Settings / Teleporter and upload the backup file. I would also reboot after restoring the backup. 

And even more optional is the setup of a swap file, if you chose a server with little RAM. 

These instructions are very good. 

https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04

Adding more DNS lists to get a higher degree of blocking, but also the chance to block stuff you may want I add these lists in “Group Management / Adlists” in the Pi-hole GUI: 

https://adaway.org/hosts.txt

https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt

https://www.technoy.de/lists/blocklist.txt

There are more lists to be found here: 
https://firebog.net/

https://www.technoy.de/lists/blocklists-fuer-pihole/ (in German, but very good)

Remember after adding blocklists you need to update Gravity in “Tools/Update Gravity” in the GUI. Otherwise the list will not be used. 

MAINTANANCE

From time to time you should run the following from the command line to keep everything up-to-date

apt -y update && apt -y upgrade && iphole -up && reboot

BACKUP

You should backup your configuration of pi-hole. So you won’t loose all your hard work in case your server crashes. I do this because I am using AWS spot (Android/ARCH) instances, which are extremely cheap, but AWS can close/terminate them when demand is high on their servers. Backup will help you get back up and running quickly. 

GUI: Settings/Teleporter

Basic squid authentication

Standard

squid.conf

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# Choose the port you want. Below we set it to default 3128.
http_port 3128

Then on the command line add your user:
htpasswd -c /etc/squid3/passwords username_you_like

and restart squid
service squid3 restart
service squid3 restart

Procmail recipe – smart recipes

Standard

Smart recipes

I use the following handy recipe to forward puzzles that any friend sends to me, while I keep a copy of it myself. That is, I have to perform two tasks at the same time. Here’s how you can go about it:

# forward puzzles to a friend
#and also keep a copy
:0
* ^Subject:.*(puzzle)
{
  :0 c
  ! myfriend@buddy.com

  :0
  puzzle
}

Here we use a nested block (enclosed in braces) instead of an action line. This block allows us to put multiple recipes within it, which are used only if the parent recipe is true.

In both the recipes in the block, we don’t have any condition statements. In the first action, the c flag is used to copy the message. Typically, a message will only run through the first recipe that is true. That is, if we don’t use the c flag, we can’t run the mail through the second recipe. The bang (!) before the email address indicates we want to forward the mail. The second recipe in the block delivers the mail to the puzzle directory.

SOPHOS UTM 9 (Sophos SG Firewall) update firmware

Standard

NOTE: This description is NOT for Sophos XG firewall. That is a completely different product.

Easiest way to manually update / upgrade the firmware in Sophos UTM (aka ASTARO aka Sophos SG firewall) is via the ssh command line interface.

  1. Log into the SSH with Putty or from another ssh server and become root / su.
  2. cd /var/up2date/sys
  3. wget all the needed updates from http://download.astaro.com/UTM/v9/up2date/ :
    wget http://download.astaro.com/UTM/v9/up2date/u2d-sys-9.601005-602003.tgz.gpg
    etc….
  4. Make updates visible and available in the GUI with:
    auisys.plx -showdesc --verbose
  5. Run updates from the GUI or run this command to execute the updates / upgrades in the CLI:
    auisys.plx --verbose
  6. The system will automatically reboot when the updates / upgrades are done.

Continue reading

Setup Sophos XG firewall on Vultr.com virtual server

Standard

There are some tricks required to overcome Sophos’ install idiosyncrasies when trying to install Sophos XG firewall from ISO on a Vultr virtual server.

Sophos UTM (the predecessor) used to be easy to install, but with XG Firewall Sophos have gone back to inflexibility with some basics, that, in my opinion, are unnecessary (SOPHOS, these are things you should fix):

  • 2 network interfaces needed
  • Pre initialisation command line does not allow setting default gateway of any interfaces
  • Pre initialisation command line does not allow setting static IP of all interfaces (only on interface 1)
  • Changing network settings in web admin during initialisation causes loss of access (in this setup case)

So these problems require certain things from Vultr:

  • 2 instances (1 for the XG and another – Linux or Windows – to initially manage the XG)
  • 2 IP addresses in the same subnet (necessary because the XG will only see IPs in the same subnet)
  • Console access to the running instances, which is provided freely by Vultr.
  • Download link to Sophos’ XG ISO

Step by step what I did:

  1. Started 10 (yes ten) servers of the cheapest kind in the hope to get 2 IP addresses in the same subnet, which I did.
  2. Shutdown the other 8 servers as soon as possible, as they cost money.
  3. “Converted” those 2 IP addresses to “reserved IP addresses” – this way you keep them to assign them to the 2 instances you need for this setup process.
  4. Shutdown the 2 instances whose IP addresses you have taken.
  5. Download the Sophos XG ISO to Vultr
  6. Start an instance to install from that ISO and assign one of those 2 reserved IP addresses
  7. Go through the off ISO setup process for Sophos XG. Follow those instructions
  8. Remove ISO from instance. This will reboot the instance and setup will continue.
  9. Login and set the port 1 IP address to the IP address you have allocated above. Then the web interface becomes visible to this network subnet only.
  10. Start another instance of choice with the other reserved IP address in the same subnet. I used a Linux instance, which I ssh’d into and made a tunnel to the XG web interface https://<IP>:4444, but there is no reason (other than cost) why you could not use a Windows instance to access the same web interface from there.
  11. In the Sophos web interface setup enter new password, disable install new firmware and agree to license
  12. select “Continue offline” and confirm you want to continue
  13. Give your machine a name and select your timezone (although you can also change that later)
  14. Continue after basic setup complete.
  15. The next step is critical to get right put only the IP address and the subnet mask exactly like in the command interface in the “LAN Address and Internal Client Network Size” fields. Otherwise you will loose access to the instance and have to start from scratch.
    And disable DHCP
  16. Continue without ticks on network protection (can be changed later)
  17. put your email addresses in the next step  (can be changed later)
  18. Finish. The XG will reboot
  19. Once setup is complete go back into the web interface and login with your new password. You will get the normal XG web interface and you can then make the adjustments in your network settings to get internet access on your XG and register and update etc.
  20. IMPORTANT: make sure you give yourself access to the admin interface from the WAN link otherwise you are locking yourself out and you can start again. See System/Administration/Device Access

Optional extras:

  • I did not register or install licenses or even started a trial and only updated the XG after setup and then I made a snapshot of the XG, because I wanted to release the reserved IP address, as it costs extra unnecessarily. When you create an instance from the snapshot it will have a new dynamic IP address, which is different and you will need to set this in the console interface, which works perfectly for setting the default gateway after setup (Sophos, why not during setup?). Then you can access your new XG via the new IP address. (Yes you can start multiple, because each can get their own IP, serial number and license).
  • Shutdown all unneeded instances and delete the reserved IPs