Category: Uncategorized

The children are our future.

I don’t know how many people saw that the kids punk’d the president of the United States this weekend. Not all news sources reported on it.

To be fair – they did not make it so the crowd was empty. It was just that there aren’t enough people there to fill the stadium during a pandemic.

But what they did do was take a stand and make their voices heard by making people look the fools.

The kids of today, shit on like the kids of the past do have a voice and aren’t afraid to use it. They will make their concerns heard and will fight to make a better life.

Hip Hip Hooray!

‘Cause, we done mucked it up. Again. Another generation that had grand plans and wanted to save the world from our evil parents and grandparents. Yup – we are the same.

We try.

Sometimes.

We do more complaining than trying.

Hopefully we donate and support.

I don’t really expect them to listen to me. I’m an old white dude, lost most of my hair and listen to music that everyone thinks is old – but I want to whisper one thing and hope it comes back as the kids grow up… don’t let the dream die.

Look for this movie. It’s gotta be out there somewhere. I know it gets crap ratings, but really, be like Cheech.

So, you want to keep the family safe and secure, and your data private online.

This list is not exhaustive, but more based on what I do at home to be comfortable and make my family comfortable – and still let the use of computers be an easy thing, because if it’s too hard, people will find a way around it to make it easier. Easier always wins!

Passwords

A good password matched with two factor authentication can do a lot to help you keep your account under your control. Passwords are kinda like a lock on the door, many people know how to get past them, but they are a small deterrent. Add two factor authentication and it puts a deadbolt on the other side which makes it not really with the effort unless there is something really juicy on the other side.

When using a password use a password manager. There are many of them. Unfortunately we are in capitalisms era of the subscription model so you will have to pay monthly/yearly instead of just for the software. I’ve used LastPass and 1Password. I am sure 1Password goes beyond the Mac now a days. A good manager lets you set up a family or sharing of passwords and lets you integrate into your browser/OS, to make it simple. ‘Cause if it’s not simple, you aren’t going to use it and use passwords like myPassword.

Many places, like banks and email providers also allow you to set up Two Factor Authentication. Do this. It’s the extra step that you get used to real fast that allows you to keep your account.

But why? Who cares if someone gets into my EPIC games account? There is a chance that you use the same password if you haven’t been using a manager for many accounts and then can try that password for other things, like a bank or email. With two factor authentication it makes it harder. Not impossible, but harder.

I use the Authy app and haven’t tried any others. It may be the best. It may be the worst. It works with all the accounts I set up with it and can use it as a widget on my phone.

Privacy

I’m not a big fan of ads and ad trackers. More trackers than ads since the ads have stopped popping up and being all flashy and noisy.

With that I try to limit the amount of ads that I see/deal with online daily. For this I use pi-hole to control my DNS and sink them.

*Quick sidebar primer: DNS is what helps convert names into places so things like our browser or app knows where to get things. Controlling the DNS allows us to control where the computer thinks an add or something else is coming from. We shall talk more about it in a minute.

Pi-hole does require a separate computer to be set up on or set up on your home router to effectively. This can be a barrier to entry, but also a learning opportunity. A less expensive way to run it is on a raspberry pi.

There are also services that will help “keep the bad guys away” with DNS. These can be helpful for parental controls and concerns about gambling sites etc. They are not 100% (I’m sure they aren’t 80%, but they add a level of comfort and security).

Cisco bought Open DNS a few years ago and now. They have a few free and paid options to set up your DNS for home “protection”. What this does is now route your DNS traffic through them, instead of your ISP and allows them to make decisions based on your preferences. They now, instead of your ISP has logs of all the places you looked up.

Wait – what? My ISP has all this data on me?

Yes. Yes they do. They have it and sell it to advertisers and data brokers and anyone who will buy it to so they can make some more money.

Wait – what? That’s insane! They can see everything I do. That’s creepy.

Yes, yes they can. My ISP will see when I publish this online and the see the URL of where I went. There is not a person sitting there watching the data go by and what you are doing on your screen. They keep it in logs for X amount of time, try to make some money off of it. Maybe some pass it off to the NSA for cataloging, but in the end, they just want to make their customers happy enough that we keep paying them so really just try to provide a service.

Why are you telling me all of this then?

To talk about VPNs. There are a lot of advertisements for VPNs. Keep yourself private they say! Your ISP knows who you are they say! I need a VPN!

No, you probably don’t.

Remote workers should use a VPN. See, VPN is a virtual private network – meaning that in the simplest terms, it keeps all the data in that network (there are other things to consider, like split tunneling, data leaking when starting the tunnel, etc, but we aren’t going to talk about them) and that’s important for work. Work data should remain there and most of the time not on a person’s home computer so yeah for the VPN!

Home use of a VPN can be tricky, ineffective and give a very false sense of security so I will not recommend any that I see out there. Not that they are bad, it’s how they are used that is important.

Let’s say I want to “mask” where I am (like in a bad episode of CSI). I use a VPN on my home computer and send out a nasty email with a weird email account to the president of a big business. I also check and use this email from my phone that is connected to my home wifi, or from work. Oh, cool – they now know who I am and can figure these things out. I did not hide anything. I just paid someone for a VPN service that didn’t protect me, because I didn’t protect myself.

Better off is to practice good internet etiquette and not do illegal things. I am not putting on the argument that if you have nothing to hide don’t fear people watching you – I am saying they are better at watching then you/I am at hiding things so don’t be mean to people and try to be anonymous or do illegal things and think you are gonna get away with it because of a VPN.

If you don’t want Google guessing everything about you based on your search history or Verizon knowing everything as you search Yahoo!, there are alternatives. Get off of Chrome and use Brave. Also you can use DuckDuckGo or Bing to search and things are a little cleaner.

Incognito/Private Browsing

This. This is so your partner or kid don’t see what you are getting them for their birthday. It is not for hiding things from the police or anyone who can see/log your traffic (think your pi-hole server log). If you wouldn’t do it in front of someone then this is not a way to mask that. Just remember that.

Serious Privacy/Anonymity

If you are an activist/whistleblower/someone in need of secure safety look up how to protect yourself in many ways and do that. A VPN is not for that. This whole post is not for that.

Secure Communications

Finally I’ll touch on secure communications, something a little more than a text message.

MMS and SMS messages are inherently insecure. They were created with security as an afterthought and that afterthought has been forgotten about.

iMessage is secure when all parties are using it. And this is how most secure messaging apps work. Many people use Facebook Messenger. I hear ya. Privacy can be turned on, but must be turned on and is run by Facebook, the company that provides a VPN so so they can see your traffic.

Facebook Messenger and What’sApp both use the technology developed by Signal as their underlying encryption, so why not just use Signal? You will actually be pretty surprised at home many people do use it. It has a good reputation and is actively being worked on for more features. If you have something you want to keep between you and the other person, this is a good option. I hear Telegram does much the same thing, but have not used it.

Is there ever an end?

This is not an exhaustive list or article and I know it’s missing things like links and footnotes to more reading, but things like privacy and security are always evolving and this is just the tip of my iceberg and what I do at home.

I didn’t even mention why Ring is a horrible thing and the IOT is a nightmare. see…

The guns.

The batons.

The the riot gear.

The tear gas.

The flash bombs.

The tasers.

The surplus military assault vehicles.

All of the weapons used by the police.

Lock ’em up for for the minimum a citizen would get for an assault and battery charge.

Now that all the police toys of intimidation are locked up, let’s let the police go do their job.

What? Do their job without guns and riot gear? Do their job without tear gas and surplus assault vehicles? How are they to keep the peace? How are they to uphold the law?

Well, let’s let them figure it out. Let’s let them spend time in the community. Let’s let them get to know the people they are to protect and serve.

Let’s let them learn to fix this without violence and intimidation – because really, it starts at home. One town and one cop at a time. Let the cop who knows how to do it show the one who doesn’t. Let them train how to be a peace officer and not a cop.

And if so many don’t want to do it any more, so many say it’s not gonna work, let them go – there will be people who come in and step up to the plate to take care of each other with doing harm.

So – lock ’em up. Lock ’em all up and hope we forget the key.

I know shit can be scary.

We live in a scary place.

But those of you in blue are not helping. You are supposed to. It says in on those cars you drive around in with all those guns and all that surveillance equipment in them.

Instead of seeing someone doing something wrong and stopping it, which I am pretty sure you are trained to do, you sit by, watch it happen then suit up to fight about it when the people call you out on it.

Not a good look and not a good way to win the long game.

It was real fast how you doubled down there. How fast you were able to mobilize all the blue lives.

It was real quick how fast you were able to get the tear gas and the face masks, the batons, and the rubber bullets ready to “defend” against the mourners and the protesters.

It was real quick how you were able to point out and hit the press when no one could see your face.

You did not just mess up by giving a person a bogus traffic ticket.

You didn’t fuck up by pulling in the wrong person for questioning and treating them badly.

You killed a man.

Instead of arresting the killer you suit up.

Instead of working with the community to right the wrong you dole out overtime to gas and shoot mourners and protesters.

This doubling down on the Blue Lives Matter shit is going to get a lot more people killed then needed.

If you really want to “man up”, then sit down, shut up, and take responsibility for your actions.

Oh look, I’ve written about this before. As I read back on these I am sad. Sad that things are not changing, and I need to do more. I need to learn more to make this a better world.

Set the stage:

It’s past bed time. The stalling has commenced. While I wait for the child to brush teeth I open my computer.

It is my fault.

He walks in. Toothbrush in mouth.

“Papa. How do you make the computer do things? Like, how do you make it answer questions?”

Ah, I remember. I was writing up a script the other day and he was asking about this. Because he knows how to play games. He knows how to search the internet.

So, I pull up a terminal, type python and he says, “Yeah! That!”.

Okay, so I know he’s stalling, but He also knows he’s got me.

We start with what a variable is and add up the kids ages. I type their ages and then he types in the command to add them up.

He then takes the keyboard and wants himself to be a bigger number. After he types it and tries to change his brother to a word we see what happens.

I teach him about the up arrow so he can take a few less seconds to type things and also see that only one variable has changed.

We talk about the error message and how strings need to be encapsulated.

He puts the string in quotes but gets a new error.

Not frustrated yet.

This is were I teach him about casting variables as a type. I should have taught him how to figure out a type, but I didn’t think about that until writing this. Oh well, there will be more times.

Seeing how he can concatenate the words he wants to make a silly word. he wants to make the word ‘malvin’

He changes the variables, remembering the quotes.

Ooops. Almost there. What went wrong I ask.

Figured that one out pretty quick.

What next?

Bed. That was a good start for the evening.

‘;–have i been pwned?, you’ve heard of it, right? Let’s pretend you haven’t. It collects and lets people know if their email has been found in a data breach or credentials are up in a paste.

I want to check to see if my email is there. Cool. I can go to the website and type in my email address and see where it’s been collected. Trust me. It’s been collected.

Now, let’s say I want to check on everyone in my family after I hear about a breach in the news? Or I run IT for a small org that has me do everything. Or I am in charge of making sure those in the C Suite are kept safe.

What can I do? I can pay a vendor a lot of money to “protect” me. I can pay for identity monitoring.

I can use the API.

I can also find a free script to run that will check this for me and give me the info I need with the freedom to change it for my needs.

There are many scripts out there that will do this. Here is one of them. Written in python.

By me. Using the API mentioned above.

Written a while ago – but updated recently do deal with the new API (which does cost $3.50/month to use – more on that here) I think it’s a good little ditty that will check one email or a set of emails from a file.

Who is this for?

First it was just for me, then my thoughts moved to the audience for this would be the family techie who is always watching out for the other, or the IT team of one for that small but very important organization without the huge budget.

Check it out…

https://github.com/m0nkeyplay/hibp_quickCheck

What more do you need?

No, really, what more do you want from it? Let me know and I’ll see what I can do.

My family, like many has been in stay at home for a while now. To the point where we are hearing about opening things up again – for the economy!™ Trust me. We want to get back out there. We want to mingle. We want to go to a restaurant. We want to go to a park and see our friends.

We have a 3 year old who for the first time is understanding a birthday party. And we want to give him it. But it’s in June.

We have camps contacting us about how we feel about whether we feel comfortable sending our child. We have the Y asking how we feel about starting up classes soon.

And my gut answer today is no. It is, I am sorry, no. I don’t feel comfortable going back to these things yet, no matter how much I want to. Not even for the economy! ™

Here is why. See. I know I am not the only person here. I know I am not the only person with kids and with parents. I want my kids to see my parents. They dearly miss their grandma who is close and those who are far. I want them to safely see each other. And we can’t. We can’t do that in May. We can’t do that in June if the kids are in the camps that they really want to reopen – because nothing has changed.

Yes. Those who are dying may get to a hospital, but the rules and ways for that to happen are too slim to risk my mother for that.

Listen, I trust my governor. He speaks with honesty and more honesty and I believe when he says he’s working for the best and if what’s happening isn’t for the best, they will work to change it.

I trust my mayor. He and the town are doing all they can to help everyone out.

I trust my doctor. She is who I will go to when I need to ask questions.

But this is where the trust stops – and I need more trust than that. I need trust that If my doctor says – hey, you or your family need a test – that my family will get it. No questions asked.

And you know what? I don’t trust my health insurer or the federal government to provide that unless we are damn sure to become a statistic. The government meant to protect us all wants nothing to do with us. They don’t want to help. Nothing new has come out to help people when we do open up. No guaranteed help for those who need it. No help to detect and prevent in all the time we have been asked to stay inside. Only blame.

The only reason my health care provider is providing testing is because it was mandated. Until the day it was noted they would be paid back, it was considered part of our deductible, and to this day, we need to get our sick body to a CDC approved testing site. And, while I am in the midwest, I am in a major metro area where there isn’t one.

So, my doc can try to help our family. My local government is trying to keep us safe, but until the insurers want to help and the feds are more worried about keeping people healthy and alive than how they are looking, I can’t open up and go back to trotting around.

I don’t want my kids to make my mom sick. I don’t want to make my mom sick.

I know there will be tests. There will be things we can do to keep everyone safe. Until that comes about… Until it’s available to all… I don’t know how to properly move forward.

iOS Version – what info does it reveal?

Scrolling through Twitter this evening and I came across this.

It reminded me of when the NSA release Ghridra, but from the people who brought us Mulder and Scully. I love Mulder and Scully.

Having been playing around to see who apps are talking to this seemed like a good one.

I downloaded the app. It did not ask for permission to use anything on my phone. Before I could use it, I needed to agree to their rather simple privacy statement (there was also a health statement that was a bit longer above).

So, according to this info is only stored on my phone and not transmitted to, or saved by, the F B I (say it like Mulder).

They also wanted me to tell them my sex. I could change that at any time.

Then I tried to do the sit up challenge. Okay, I moved it like a shake weight in my arm, but did the challenge to see what happened.

This was a very limited test, but the app is rather limited, so I stopped there.

What did I find?

First, the app did talk. It didn’t talk to the FBI. It did talk to the folks the FBI hired out to make the app.

So, what did it send this oh so trusting app developer who provide stats for all tiers of the apps?

Really, not that much exciting stuff. It did use a hardware identifier that I can not identify from my device, but it did use this in each post to the developer.

{
    "os": {
      "name": "ios",
      "version": "13.3.1"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    }

It also noted when I started the situps test, but nothing really more exciting than that.

    "app": "bd1eca37-c244-4ebf-9999-50dfa4fc62e7",
    "id": "1D42EEBB-5E74-4D66-A79F-A653AD407E3B",
    "event": "iphone.Sit-Ups Test Started.",
    "data": {
      "sdk_version": "8.0.2",
      "app_name": "FitTest",
      "timezone": -300,
      "app_id": "com.fbi.fittest"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    },

It didn’t send my chosen sex at any time. It didn’t even send how awesome I was when I finished my “situps”. It just moved onto the next screen I looked at and did this for each screen.

I didn’t leave it running in the background and keep seeing what was happening. I didn’t do any big isolation tests and didn’t install on an android device to see what happens, so this really isn’t very complete.

What I do know though is my daily yoga app that I love and pay for talks to more places just when I start it up, then this app did when I gave it a quick run though.

Would I use the app? No. Out of privacy concerns? No.

How did I catch the data? That’s here.

Thanks!

I’m always interested in where my data is going. Who is using it? What data is being collected?

I use my phone a lot more then I use my (shiny new) computer so it made sense for me to see what data that is spilling. I also use an iPhone, so this can surely be ported to Android. I just don’t have the resources to do that.

What’s my goal?

  • I want to see what data my apps are sending and to where.
  • I want to be able to do this with tools I have on hand.

What do I need to achieve this goal?

First off. I do not need to buy an ASA on craigslist so I can monitor all the traffic. Yes, it’s fun. Yes it’s cool to see. But for my house, it’s overload and we have adequate heating. So, let’s not do that again. Okay, now that’s out of the way.

  • an iDevice with an app we want to see what it’s doing
  • a proxy
    • We will use Zap. Zap comes on Kali, or download it to your favorite platform.
  • the iDevice configured to use the proxy and accept the certificate

The Setup

We need to set up Zap to proxy our data as well as capture SSL traffic since most apps use https to make their calls.

Under the Tools –> Options –> Local Proxy let’s make sure the additional proxy is set to all (0.0.0.0) and a different port then the localhost port. I have it set to 8082

additional proxies to 0.0.0.0:8082

While in the options, let’s choose the Dynamic SSL Certificates and save that to the computer. We will need this in a few.

With this, we will be able to use apps and see the data being passed.

Device Setup

To get an iDevice to trust a cert we need to load it on the device and make some changes. The good thing is they don’t make this dead simple that it can happen by accident.

I will fire up Apple Configurator 2 then select File –> New Profile.

I will give it a name and an identifier.

Next I will give it the cert we made with Zap. This cert won’t be trusted, and that’s okay. We will take care of that in a bit.

Leave everything else as is and save it. It will save as a Configuration Profile file.

We are getting close to the fun part.

Transfer the file to the iDevice. I used AirDrop after emailing it to myself.

If you can’t AirDrop it, go for email or put it in Dropbox. When you get the file it should prompt you to install the profile.

Choose the Profile Downloaded

Install the Profile. It will warn you a few times. Read through the more details to see what’s happening. Always a good idea when following directions from the Internet.

You will get to the profile being installed. Click Done.

Trust

Now we need to trust the certificate. Just because it’s there, doesn’t mean we trust it. Navigate to the About Section, then scroll to the bottom to get the Certificate Trust Settings.

Enable the certificate that was presented and choose to continue.

Setting the Proxy

For all of this to work, we need to set the proxy for the network we are on.

Open the settings for the Wifi network. **This is specific to the network you are on. It will not proxy when on cellular or at your friends house or Starbucks.

It’s here that we set the proxy to the Zap server and port.

Click Save and we are ready to look at the data.

Viewing the data

Head on back to Zap and open up and app to see where the data is flowing.

One of the things I really like about Zap is that it groups the data by sites, so I can look to see what data is going where.

We can see we are getting https traffic and can decrypt the traffic just from woot here. We can see domains, requests, and responses.

Zap will let you manipulate this data to see what happens. That is for someone else’s blog post today.

Added bonus is seeing all the places that the app is sharing your data with and setting up a Pi-hole server to get rid of all that sharing your favorite weather app does.

Cleanup

We don’t always want our data going through the proxy. Some places are more finicky than others and will give weird results, so when done, always take the time to cleanup and undo the proxy settings and disable the trust in your certificate.

These can be turned back later when doing some more app reviews.

For a bit I was writing down the tools I had been working with and making. And then my blog blew up. Or more literally locked up and I lost the data because it was all on a dev machine that I didn’t care that much about.

I didn’t really stop working on things, but didn’t write much about it.

Then yesterday I had an idea. It wasn’t an original idea. It was really a how can I make that so I can use it and not need to install more software.

I came across this tool in a tweet. https://github.com/hakluke/hakcheckurl Written in Go, it checks on URLs, looks like it spiders and gets status codes for the URLs. Cool I thought. Go I thought.

Can I do it in python (I thought)? I played around. I looked around. I really didn’t want to rewrite a crawler. Lazy I know, but it’s my project and time.

New Direction

Sites have places they don’t want crawled. They put these places in a file in hopes that crawlers will respect this and not look there.

Most of these files/folders will be benign, style folders, images taken out of context, but some can help people looking for vulnerabilities out.

So, why not work out a way to take a look at them solo or in batches of sites?

talkToRobots

Or as Gabe calls it, Skynet. It’s available at my github repo.

talking to a robot
https://github.com/m0nkeyplay/talkToRobots

So, what can it do?

Right now it’s pretty simple. Choose from one site or provide a list of sites and we will go check if they have a robots.txt file and log that data for review.

I’m hoping to add the ability to switch between http and https if one doesn’t show results soon for a site. The thought of piping the disallows to be followed and see what’s there has also crept into my mind.

Download it. Give it a spin. Give it a whirl. Please help me improve it.