How to use a computer

25 April 2018


I am often asked for advice on doing various things on a computer and I assume that they are doing everything else securely, and then I find that they don’t have the basics right. So here is my guide to doing the basics right.

Don’t use Windows

OK so some people still haven’t upgraded to a Linux distribution, and I have hit brick walls in trying to convince some of my friends to do this. But this is one of the best things you can do to improve your security. OK keep a separate partition with windows for playing games, everything else is better on Linux.

Update, Update, Update

Make sure that you keep all your software up-to-date, not just the operating system, all those other bits and pieces of software need updating.

When you install software always do this by adding a repository to your package manager, that way when you do your apt full-update everything is updated in one go. (this is one of the main reasons why Linux is better)

Backup, Backup, Backup

All computers can fail, taking your data with them, so you need to make sure the rule of 3 is followed. All data should have 3 copies, the live version, a backup version, and a remote backup.

Use a password Manager

We are just frail humans and we can not remember a different, complex password for every site we need or want a password on. The only way to remember all these passwords is to use a password manager. There are better and worse managers out there but you are much safer using a bad password manager than not using one at all.

Advertisements

Missing Maps Reading

24 February 2018

Unmapped Places

I have been doing some mapping of late for the Missing Maps project. In conversation with people at Reading Geek Night we wanted to see if we could run an event in Reading. Well we have managed to get the use of space at work.life and the promise of some Pizza from Zizzi in King Street.

In the west we take maps for granted. That post arrives, that people can find your place, that government and companies can plan the services they provide. These are so fundamental the functioning of society that we take them for granted. But they require the investment and effort to create.

The picture above is an analysis of data in the OpenStreetMap database. It shows the number of town and village entries that do not have surrounding residential roads. It is a fairly good indicator of the coverage of maps in various areas. Notice that big band of red across the centre of the map. That is the problem.

But there is a very effective way we now have of solving this. We have access to high resolution images of the entire world, we have the software to allow people to look at these and create a simple map of roads and buildings. When we have these base layers it is relatively easy for local people to add names to roads, tag hospitals and schools.

The Missing Maps project is aiming to get the rest of the world mapped. Working with OpenStreetMap, and specifically the Humanitarian OpenStreetMap Team (HOT), to create an open data map of the world. Here is a great little video that explains the project.

So if you are in reading and want to come along, get your ticket here. The first event is 20 March 2018 at work.life 33 King’s Road, RG1 3AR Reading. If you can’t make that we are already planning the next event on 17 April 2018. Come along and help map the world.


Book and Audio book recommendations from Me and my Team

10 January 2018

booksDiscussing good book (and audiobook) recommendations here is my recommendations, and those added by my team at work.

Walkaway by Cory Doctorow

What really happens in a disaster, people help each other, but there is still plenty of disagreement. set in the near future.

Daemon by Daniel Suarez

As the book starts the main character is dead, but then his retribution starts. The title refers to a Unix Daemon…

Ready Player One by Ernst Cline

When online game worlds become the world. with a nostalgic tour through the game worlds of the past. Read the book in preparation for the Film next year.

Mark Sutton

Listen to This by Alex Ross (Recommend Audio Book)

Music correspondent of the New Yorker, accessible insights into how to listen to music from Bjork to Beethoven.

Salka Valka by Haldor Laxness

Sean Wiles

Red Rising by Pierce Brown

Earth is dying. Thousands of workers, who live in the vast caves beneath Mars, mine the precious elements that will make the planet habitable. They are Earth’s only hope. Until the day Darrow learns that it’s a lie. Mars has been habitable – and inhabited – for generations. Darrow disguises himself and infiltrates their society, intent on taking them down. But the surface is a battlefield – and Darrow isn’t the only one with an agenda.

Alone in Berlin by Hans Fallada, Michael Hofmann (translator)

Berlin, 1940. The city is paralysed by fear. But one man refuses to be scared. Otto, an ordinary German living in a shabby apartment block, tries to stay out of trouble under Nazi rule. But when he discovers his only son has been killed fighting at the front he’s shocked into an extraordinary act of resistance and starts to drop anonymous postcards attacking Hitler across the city. If caught, he will be executed.
Soon this silent campaign comes to the attention of ambitious Gestapo inspector Escherich, and a murderous game of cat-and-mouse begins. Whoever loses, pays with their life.

Wool by Hugh Howey

An epic story of survival at all odds and one of the most anticipated books of the year. In a ruined and hostile landscape, in a future few have been unlucky enough to survive, a community exists in a giant underground silo. Inside, men and women live an enclosed life full of rules and regulations, of secrets and lies. To live, you must follow the rules. But some don’t. These are the dangerous ones; these are the people who dare to hope and dream, and who infect others with their optimism. Their punishment is simple and deadly. They are allowed outside. Jules is one of these people. She may well be the last.

Ender’s Game by: Orson Scott Card

Ender Wiggin is Battle School’s latest recruit. His teachers reckon he could become a great leader. And they need one. A vast alien force is headed for Earth, its mission: the annihilation of all human life. Ender could be our only hope. But first he must survive the most brutal military training program in the galaxy…

Foundation by: Isaac Asimov

Long after Earth was forgotten, a peaceful and unified galaxy took shape, an Empire governed from the majestic city-planet of Trantor. The system worked, and grew, for countless generations. Everyone believed it would work forever. Everyone except Hari Seldon.

Matt Kemp

Non-fiction:
The Rise and Fall of the Third Reich by William L Shirer

Excellent account of the Nazi regime taken from Nuremberg Trial papers and interviews, letters and telegrams during the war from the Nazi and Allied vaults. Warning LONG!

D-Day Through German Eyes (1 & 2) by Holger Eckhertz

Excellent account of D-Day from a German perspective, via interviews with German troops and narrative.

I have many more war related ones I’ve read if you’re interested.

A Short History of Nearly Everything by Bill Bryson

Excellent run through of scientific history and discovery.

Anarchism: A Collection of Revolutionary Writings by Peter Kropotkin.

A little hard going, but interesting views on society and anarchism.

Fiction:

Norse Mythology by Neil Gaiman

Fantastic re-telling/re-interpretation of a lot of short Norse mythologies. Good fun

Enchantress (The Everman Saga Book 1) by James Maxwell

Some excellent fantasy reading and part one of a decent series.

The Odyssey by Homer; Alexander Pope

The classics are the best.

Ice Station by Matthew Reilly

1st in a series of absolutely mad crazy-paced action novels. Reilly books barely leave the action for a split second and something to read if you want a break from something heavier.

Nigel Worthy

Some I’ve enjoyed this year ………

Haruki Murakami – Norwegian Wood  (or anything by Murakami)

Ted Chiang – Stories of your life and Others

Neil Gaiman – The Ocean at the end of the Lane.

Mikhail Bulgakov – The Master and Margarita

Kazuo Ishiguro – The buried Giant

Fyodor Dostoevsky – Crime and Punishment, The Karamazov Brothers

Michael Faber – The book of small things

William Gibson – All his books!

Claire North – The first fifteen lives of Harry August   (recommended to me by Jo-Anne and it’s excellent!)

Plato – The Republic

David Mitchell – The Bone Clocks

Brian Krebs – Spam Nation

Jonas Jonasson – The one hundred year old man who climbed out the window and disappeared

Bogdan Dragomir

Here’s one I know you’d enjoy Be Fast Gone Critical Management. Don’t let the title mislead you it is far from being a boring project management book.

In the same vein I would mention The Phoenix Project
A novel about Agile development methods and Dev-Ops, that is not boring.

Petros Theodorakis

I am currently reading Off to be a wizard which is fun. It’s supposed to be something between “Ready player one” and Terry Pratchett’s fantastic books. Being a comics collector since a kid (a long time ago in a galaxy NOT far far away…)

I would also recommend Rock candy mountain.

And after that I am planning to read The Four

Chris Tommasi

I missed this list but thought to add for fun…

some GREAT looking recommendations from everyone… thanks

Matt – the odyssey; wow heavy… good call but heavy dude, well done

to expand Sean’s suggestion to Asimov Foundation (presume series, great btw, thumbs up) to include the Robots Series (Caves of Steel, Naked Sun etc)

Nigel’s great nod to Gibson… and to push it forward. if adventurous then the Shadowrun novels (some hit and miss with different authors) bring a fun blending of cyberpunk and magic…

Add to that a couple of my all time favourite novels… Neal Stephenson’s Snow Crash and Diamond Age (I could gush over this novel all day long) – but if you’re after a little less cyberpunk and more cyber then Cryptonomicon

Petros (the four looks interesting) you mentioned Pratchett – love it or hate it, it’s all good… if you do like that type of thing the BBC has recently re broadcast the radio version of Good Omens a fun collaboration with Neil Gaimen (book is better, but radio fun light listen)

talking radio

finally, if I’ve not forced this on you before then try out Patrick Rothfuss: The Adventures of the Princess and Mr. Whiffle he reads it here (skip to 39:40’ish), it’s only about 10 minutes, but you need to watch, something short but fun to get your teeth into


Evolving internet protocols TLS 1.3, HTTP/2, QUIC, & DOH

5 January 2018

There is a must read blog article by Mark Nottingham on the APNIC Site

Internet Protocols are Changing

Now, significant changes to the core Internet protocols are underway. While they are intended to be compatible with the Internet at large (since they won’t get adoption otherwise), they might be disruptive to those who have taken liberties with undocumented aspects of protocols or made an assumption that things won’t change.

Finally, we are in the midst of a shift towards more use of encryption on the Internet, first spurred by Edward Snowden’s revelations in 2015. That’s really a separate discussion, but it is relevant here in that encryption is one of best tools we have to ensure that protocols can evolve.


A neat data sharing technique

2 June 2017

We needed to share some data with another company, and this related to Credit card transactions. But we did not want to share the actual card numbers (PANs), what to do. What we came up with is quite neat, and can probably be used by others.

The external company collects the card numbers they want information on, they encrypt these with RSA with a key they generate and do not share. They send these encrypted numbers to us, we further encrypt them with our own RSA key and jumble the order of the entries, then send them back. So now they have a set of PANs double encrypted.

We perform an extract of the relevant transactions and encrypt the PANs with our RSA key, and send these as well. Now the recipients of these can encrypt these with their key and because RSA is a commutative function, can match up the two sets to see if the PANs they sent to us were used in the extracted transactions.

We have added a daily salt to these encryptions so that correlations can’t be used to work out which encrypted PANs map to the original PANs, and we bulk up the transactions so that individual transactions cannot be identified.

A friend of mine wrote up the proof of this:

Let Nv = our Key Modulus

Let E = our Operand (a number greater than 1, which is carefully chosen…)

So our Public Key, Vp = the couplet (Nv, E)

[Ignoring the Private Key as it’s not important…]

Similarly

Let Ng = their Key modulus

F = their operand

So their public key Gp = couplet (Ng, F)

Let X = a PAN

Let Encrypt(K,M) be the RSA encryption algorithm of encrypting message M using key K

To encrypt the PAN using our Public Key: Cv = Encrypt( Vp, X)

This is actually Cv = X^E mod Nv

Then encrypt again using their Public Key: Cvg = Encrypt(Gp, Cv)

This is actually Cvg = Cv^F mod Ng

Similarly, encrypt the PAN using their Public Key: Cg = Encrypt (Gp, X)

This is actually Cg = X^F mod Ng

Then encrypt again using our Public Key: Cgv = Encrypt(Vp, Cg)

This is actually Cgv = Cg^E mod Nv

So Cvg = CvF mod Ng

= (X^E mod Nv)F mod Ng

= X^EF mod Nv mod Ng

= X^FE mod Ng mod Nv

= (X^F mod Ng)^E mod Ny

= Cg^E mod Ny

= Cgv
i.e.

1. it doesn’t matter whether we encrypt with our key first or second, we get the same answer.

2. this means that the RSA algorithm is a commutative encryption algorithm

And so if we produce a value Cvg and they produce value Cgv and the values are the same, we can deduce that both organisations encrypted the same PAN, and nobody is actually sharing any PANs in the process.


End to End encryption under attack

30 March 2017
Amber Rudd

UK Home Secretary, Amber Rudd

During the consultations on the #SnoopersCharter or the Investigatory Powers Bill we were assured that there were no plans to break end to end encryption. And now with the most minor of incidents, of a single misguided individual, killing fewer that an average day of road traffic in the UK, that is being called a terrorist attack, we should give up all our privacy.

Thursday 30 March 2017

Dear Alok Sharma,

You wrote to me on 17 November 2015 (ref: CRM12097) in respect to my concerns over the Snoopers Charter aka Investigatory Powers Bill (now an Act).

In that letter you assured me that: “However the Government does not advocate or require the provision of a back-door or support arbitrarily weakening the security of internet applications and services in such a way. Such tools threaten the integrity of the internet itself.”

https://stuartward.wordpress.com/2015/11/26/reply-from-alok-sharma-on-ipbill-snooperscharter/

The comments by the Home Secretary, Amber Rudd, directly contradict that position. She is calling for messaging applications to be provisioned with back-door access.

I and other security professionals keep telling you it is not possible to safely provide back door access to encryption systems.

https://www.schneier.com/academic/paperfiles/paper-keys-under-doormats-CSAIL.pdf

This extraordinary level of access must require extraordinary evidence that it is necessary. At the moment there is no evidence that access to this data would have any material effect on the outcome of the recent criminal attack in Westminster, nor any other situation.

Calling a misguided individual, a Terrorist only inflates the situation and causes fear. Lets keep things in perspective.

Yours sincerely,

Stuart Ward


Adventures in IPv6

18 February 2017

Because I use a home ISP that supports IPv6 and has done for quite a few years, I have been using IPv6 for some time. But recently a problem meant that I was losing IPv6 connectivity. IPv4 was working fine so only a minor hiccup. But the process of investigating this I learnt quite a bit about IPv6 and I thought I would document this here. It might help someone else.

Addresses

IPv6 addresses are 128 bits long and are written down in a standard notation, this looks like:
fe80::224:d7ff:feec:e7ec
::1
2a00:1450:4009:80f::200e

It is rare to have a completely populated address, so the notation allows for shortening the bits of the address that are zero. So the address ::1 is all zero except for the last bit. Also the CDIR format of showing the number of significant bits is often used. When used in some commands the interface to send on is specified with a %eth0 suffix

There are several types of IP address, and they can be recognised by the most significant part of the address. These are the ones I came across.

::1/128 this is the loopback address same as 127.0.0.1
fe80::/64 anything staring with fe80 is a link local address. A bit like 10.x.x.x or 192.168.x.x and can only be used on a single link
ff0X::   These are multicast addresses. the most useful ones are
ff02::1 All nodes in the link-local
ff02::2 All routers in the link-local

Configuration

IPv6 has been designed for auto-configuration, so an endpoint should not have to have anything set in order to use a network. Everything is automatic.

The link local address is automatically calculated from the MAC address of the interface, it should be there for any interface that is connected regardless of the network supporting IPv6 or not. You can display the IP addresses with ifconfig (or ipconfig on windows) or ip -6 address show

Neighbor discovery protocol allows the discovery the link local addresses of locally connected interfaces. We do this with a ping or as it is more formally known via Internet Control Message Protocol version 6 (ICMPv6) to a multicast address.

$ ping6 -c2 ff02::1%eth0

$ ping6 -c2 ff02::1%eth0
PING ff02::1%eth0(ff02::1%eth0) 56 data bytes
64 bytes from fe80::3e98:c0ee:51ae:b461%eth0: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=1 ttl=64 time=2.53 ms (DUP!)
64 bytes from fe80::3e98:c0ee:51ae:b461%eth0: icmp_seq=2 ttl=64 time=0.059 ms

--- ff02::1%eth0 ping statistics ---
2 packets transmitted, 2 received, +1 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.059/0.887/2.532/1.163 ms

This should give you a response form the link local of that interface, and anything else that has an IPv6 interface on that network segment. But

$ ping6 -c2 ff02::2%eth0
PING ff02::2%eth0(ff02::2%eth0) 56 data bytes
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=1 ttl=64 time=2.58 ms
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=2 ttl=64 time=0.946 ms

--- ff02::2%eth0 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.946/1.764/2.582/0.818 ms

will only give responses from routers on the segment. So now we have local addresses sorted, we need to get a routeable IPv6 address. There are a number of ways this can happen, most commonly this uses Stateless Address Autoconfiguration (SLAAC).

The steps in getting a Global scope IPv6 address then are first to find the router. This is either from the response to a Router Solicitation (RS) ICMPv6 message, or from just listening as a router will periodically send out a Router Advertisement (RA).

Wireshark Capture

Wireshark capture of IPv6 address auto-configuration

Lets step through the auto-configuration process. The first step is setting the Link Local address, this is configured from the MAC address, but there still could be conflicts. in packet 83 we send a neighbour solicitation out for the address we want to use. If nobody responds then we go ahead and use that address, packet 97.

The next important bit is the Router Solicitation, and Router Advertisement. Routers will send out a Router Advertisement periodically to the multicast address ff02::1 periodically, but can be prompted by Router Solicitation, packets 118 & 119. The Router Advertisement is displayed in the packet analysis window, and we can see the Prefix information as well as DNS servers from the router.

Next is packet 141 where we send out a Neighbor Solicitation for 2001:8b0:1679:ea38:cf58:def3:b993:1412 to check that nobody else is using this address. If nobody replies then we go and use this address.