Category: Uncategorized

Who remembers your first secret message? Was it a note to a friend, a family member, a crush where it was caught by the teacher?

I just finished reading Gregor the Overlander to one of the kids.

Without spoiling a 13 year old series I will just say there was a great part in the series that has introduced my son to ciphers and cryptography.

Then last night at the dinner table, talking about Minecraft (as usual) he just popped up with a riddle: “What’s the opposite of A?”

I said, “Z”. I was right!

Then he asked, “What’s the opposite of X?”

I said, “C?”. I was right again!

“We can make secret messages like this.” Yes, yes we can.

“Do you want to learn how to do it in python?”

We’ve talked about doing things in python before. As he’s getting more comfortable typing he’s starting to learn more. This seemed like a good time to work on some ideas.

I put together a little module with arrays, dictionaries, and functions. Great fun and learning opportunities if we want.

The module is only fun though if you can use it. I put together a little interactive game…

As well as a way to use it with simple text to scramble and descramble…

We are currently playing around with it, having some fun.

Want to? Go grab it at https://github.com/m0nkeyplay/simple-alphabet-cipher.

Just remember, it’s for fun. Don’t be rolling your production apps with this and calling it secure.

via GIPHY

School is going to be a bit different this year.

It’s not going to be the chaos of pre-Covid19 learning, and will hopefully not be the caught off guard chaos once it hit. No matter what happens we are doing things a bit differently this school year.

One of our children attends a small charter school. I’ve learned charter school means a bit less bureaucracy and a lot more involvement. Like most schools, there is a Fall Festival, some early in the year get together so everyone can start building that community.

How do we do that with a global pandemic? How do we do that and keep everyone safe?

We are working on it. A great team of people thinking of and putting together ideas of how to (now) digitally connect and out tangible things in the families hands as well.

It’s up to me to find a platform to host this event. One that’s safe, easy to get to, and doesn’t need 10 techs to keep running for a couple of hours. This one I am working on.

My other job was to create BINGO cards so we can do a virtual BINGO game. BINGO cards? What? That can’t be fun.

Oh silly. Of course it can.

I spend my days thinking up different ways to make data accessible to management. Yeah, I also get to do some real cool stuff and make data accessible for workers like me too, but this… I get to think of a real cool problem and work it out.

First I needed to learn a little bit about BINGO. Oh, I’ve played it and I know how to win and how to lose, but I didn’t know what numbers went where. That part is kinda important when making cards.

Great. I learned that (15 numbers per letter).

Now, I needed to make sure that each number was only on the card once. My make things complicated mind was racing with this one. Random numbers, then check to see if that number was used already, and if so do another random number, because random isn’t always random, so this can happen a lot…

Slow down. Pop a number out, sort the new list after each pop and no number will overlap.

Account for the FREE SPACE. Put a nice little pic of the school logo in there.

Voila. 500 of this available to print in a matter of seconds, because computers are a lot faster than me.

B-I-N-G-O

It was fun. It was nice. It was cool to make something that only took an hour or so to work out and not weeks and months and lots of regiggering.

It felt like a first project, like a I want to learn python and I need a project to make it real. So for that, I’ve put the code up on github for anyone who wants to make their own cards as an experiment. Trust me, I am sure there are better ways to do it than I did it, but mine worked.

Also, if anyone just wants 500 BINGO cards, here you go. No branding, just a FREE SPACE.

500 BINGO Cards (pdf)

The children are our future.

I don’t know how many people saw that the kids punk’d the president of the United States this weekend. Not all news sources reported on it.

To be fair – they did not make it so the crowd was empty. It was just that there aren’t enough people there to fill the stadium during a pandemic.

But what they did do was take a stand and make their voices heard by making people look the fools.

The kids of today, shit on like the kids of the past do have a voice and aren’t afraid to use it. They will make their concerns heard and will fight to make a better life.

Hip Hip Hooray!

‘Cause, we done mucked it up. Again. Another generation that had grand plans and wanted to save the world from our evil parents and grandparents. Yup – we are the same.

We try.

Sometimes.

We do more complaining than trying.

Hopefully we donate and support.

I don’t really expect them to listen to me. I’m an old white dude, lost most of my hair and listen to music that everyone thinks is old – but I want to whisper one thing and hope it comes back as the kids grow up… don’t let the dream die.

Look for this movie. It’s gotta be out there somewhere. I know it gets crap ratings, but really, be like Cheech.

So, you want to keep the family safe and secure, and your data private online.

This list is not exhaustive, but more based on what I do at home to be comfortable and make my family comfortable – and still let the use of computers be an easy thing, because if it’s too hard, people will find a way around it to make it easier. Easier always wins!

Passwords

A good password matched with two factor authentication can do a lot to help you keep your account under your control. Passwords are kinda like a lock on the door, many people know how to get past them, but they are a small deterrent. Add two factor authentication and it puts a deadbolt on the other side which makes it not really with the effort unless there is something really juicy on the other side.

When using a password use a password manager. There are many of them. Unfortunately we are in capitalisms era of the subscription model so you will have to pay monthly/yearly instead of just for the software. I’ve used LastPass and 1Password. I am sure 1Password goes beyond the Mac now a days. A good manager lets you set up a family or sharing of passwords and lets you integrate into your browser/OS, to make it simple. ‘Cause if it’s not simple, you aren’t going to use it and use passwords like myPassword.

Many places, like banks and email providers also allow you to set up Two Factor Authentication. Do this. It’s the extra step that you get used to real fast that allows you to keep your account.

But why? Who cares if someone gets into my EPIC games account? There is a chance that you use the same password if you haven’t been using a manager for many accounts and then can try that password for other things, like a bank or email. With two factor authentication it makes it harder. Not impossible, but harder.

I use the Authy app and haven’t tried any others. It may be the best. It may be the worst. It works with all the accounts I set up with it and can use it as a widget on my phone.

Privacy

I’m not a big fan of ads and ad trackers. More trackers than ads since the ads have stopped popping up and being all flashy and noisy.

With that I try to limit the amount of ads that I see/deal with online daily. For this I use pi-hole to control my DNS and sink them.

*Quick sidebar primer: DNS is what helps convert names into places so things like our browser or app knows where to get things. Controlling the DNS allows us to control where the computer thinks an add or something else is coming from. We shall talk more about it in a minute.

Pi-hole does require a separate computer to be set up on or set up on your home router to effectively. This can be a barrier to entry, but also a learning opportunity. A less expensive way to run it is on a raspberry pi.

There are also services that will help “keep the bad guys away” with DNS. These can be helpful for parental controls and concerns about gambling sites etc. They are not 100% (I’m sure they aren’t 80%, but they add a level of comfort and security).

Cisco bought Open DNS a few years ago and now. They have a few free and paid options to set up your DNS for home “protection”. What this does is now route your DNS traffic through them, instead of your ISP and allows them to make decisions based on your preferences. They now, instead of your ISP has logs of all the places you looked up.

Wait – what? My ISP has all this data on me?

Yes. Yes they do. They have it and sell it to advertisers and data brokers and anyone who will buy it to so they can make some more money.

Wait – what? That’s insane! They can see everything I do. That’s creepy.

Yes, yes they can. My ISP will see when I publish this online and the see the URL of where I went. There is not a person sitting there watching the data go by and what you are doing on your screen. They keep it in logs for X amount of time, try to make some money off of it. Maybe some pass it off to the NSA for cataloging, but in the end, they just want to make their customers happy enough that we keep paying them so really just try to provide a service.

Why are you telling me all of this then?

To talk about VPNs. There are a lot of advertisements for VPNs. Keep yourself private they say! Your ISP knows who you are they say! I need a VPN!

No, you probably don’t.

Remote workers should use a VPN. See, VPN is a virtual private network – meaning that in the simplest terms, it keeps all the data in that network (there are other things to consider, like split tunneling, data leaking when starting the tunnel, etc, but we aren’t going to talk about them) and that’s important for work. Work data should remain there and most of the time not on a person’s home computer so yeah for the VPN!

Home use of a VPN can be tricky, ineffective and give a very false sense of security so I will not recommend any that I see out there. Not that they are bad, it’s how they are used that is important.

Let’s say I want to “mask” where I am (like in a bad episode of CSI). I use a VPN on my home computer and send out a nasty email with a weird email account to the president of a big business. I also check and use this email from my phone that is connected to my home wifi, or from work. Oh, cool – they now know who I am and can figure these things out. I did not hide anything. I just paid someone for a VPN service that didn’t protect me, because I didn’t protect myself.

Better off is to practice good internet etiquette and not do illegal things. I am not putting on the argument that if you have nothing to hide don’t fear people watching you – I am saying they are better at watching then you/I am at hiding things so don’t be mean to people and try to be anonymous or do illegal things and think you are gonna get away with it because of a VPN.

If you don’t want Google guessing everything about you based on your search history or Verizon knowing everything as you search Yahoo!, there are alternatives. Get off of Chrome and use Brave. Also you can use DuckDuckGo or Bing to search and things are a little cleaner.

Incognito/Private Browsing

This. This is so your partner or kid don’t see what you are getting them for their birthday. It is not for hiding things from the police or anyone who can see/log your traffic (think your pi-hole server log). If you wouldn’t do it in front of someone then this is not a way to mask that. Just remember that.

Serious Privacy/Anonymity

If you are an activist/whistleblower/someone in need of secure safety look up how to protect yourself in many ways and do that. A VPN is not for that. This whole post is not for that.

Secure Communications

Finally I’ll touch on secure communications, something a little more than a text message.

MMS and SMS messages are inherently insecure. They were created with security as an afterthought and that afterthought has been forgotten about.

iMessage is secure when all parties are using it. And this is how most secure messaging apps work. Many people use Facebook Messenger. I hear ya. Privacy can be turned on, but must be turned on and is run by Facebook, the company that provides a VPN so so they can see your traffic.

Facebook Messenger and What’sApp both use the technology developed by Signal as their underlying encryption, so why not just use Signal? You will actually be pretty surprised at home many people do use it. It has a good reputation and is actively being worked on for more features. If you have something you want to keep between you and the other person, this is a good option. I hear Telegram does much the same thing, but have not used it.

Is there ever an end?

This is not an exhaustive list or article and I know it’s missing things like links and footnotes to more reading, but things like privacy and security are always evolving and this is just the tip of my iceberg and what I do at home.

I didn’t even mention why Ring is a horrible thing and the IOT is a nightmare. see…

The guns.

The batons.

The the riot gear.

The tear gas.

The flash bombs.

The tasers.

The surplus military assault vehicles.

All of the weapons used by the police.

Lock ’em up for for the minimum a citizen would get for an assault and battery charge.

Now that all the police toys of intimidation are locked up, let’s let the police go do their job.

What? Do their job without guns and riot gear? Do their job without tear gas and surplus assault vehicles? How are they to keep the peace? How are they to uphold the law?

Well, let’s let them figure it out. Let’s let them spend time in the community. Let’s let them get to know the people they are to protect and serve.

Let’s let them learn to fix this without violence and intimidation – because really, it starts at home. One town and one cop at a time. Let the cop who knows how to do it show the one who doesn’t. Let them train how to be a peace officer and not a cop.

And if so many don’t want to do it any more, so many say it’s not gonna work, let them go – there will be people who come in and step up to the plate to take care of each other with doing harm.

So – lock ’em up. Lock ’em all up and hope we forget the key.

I know shit can be scary.

We live in a scary place.

But those of you in blue are not helping. You are supposed to. It says in on those cars you drive around in with all those guns and all that surveillance equipment in them.

Instead of seeing someone doing something wrong and stopping it, which I am pretty sure you are trained to do, you sit by, watch it happen then suit up to fight about it when the people call you out on it.

Not a good look and not a good way to win the long game.

It was real fast how you doubled down there. How fast you were able to mobilize all the blue lives.

It was real quick how fast you were able to get the tear gas and the face masks, the batons, and the rubber bullets ready to “defend” against the mourners and the protesters.

It was real quick how you were able to point out and hit the press when no one could see your face.

You did not just mess up by giving a person a bogus traffic ticket.

You didn’t fuck up by pulling in the wrong person for questioning and treating them badly.

You killed a man.

Instead of arresting the killer you suit up.

Instead of working with the community to right the wrong you dole out overtime to gas and shoot mourners and protesters.

This doubling down on the Blue Lives Matter shit is going to get a lot more people killed then needed.

If you really want to “man up”, then sit down, shut up, and take responsibility for your actions.

Oh look, I’ve written about this before. As I read back on these I am sad. Sad that things are not changing, and I need to do more. I need to learn more to make this a better world.

Set the stage:

It’s past bed time. The stalling has commenced. While I wait for the child to brush teeth I open my computer.

It is my fault.

He walks in. Toothbrush in mouth.

“Papa. How do you make the computer do things? Like, how do you make it answer questions?”

Ah, I remember. I was writing up a script the other day and he was asking about this. Because he knows how to play games. He knows how to search the internet.

So, I pull up a terminal, type python and he says, “Yeah! That!”.

Okay, so I know he’s stalling, but He also knows he’s got me.

We start with what a variable is and add up the kids ages. I type their ages and then he types in the command to add them up.

He then takes the keyboard and wants himself to be a bigger number. After he types it and tries to change his brother to a word we see what happens.

I teach him about the up arrow so he can take a few less seconds to type things and also see that only one variable has changed.

We talk about the error message and how strings need to be encapsulated.

He puts the string in quotes but gets a new error.

Not frustrated yet.

This is were I teach him about casting variables as a type. I should have taught him how to figure out a type, but I didn’t think about that until writing this. Oh well, there will be more times.

Seeing how he can concatenate the words he wants to make a silly word. he wants to make the word ‘malvin’

He changes the variables, remembering the quotes.

Ooops. Almost there. What went wrong I ask.

Figured that one out pretty quick.

What next?

Bed. That was a good start for the evening.

‘;–have i been pwned?, you’ve heard of it, right? Let’s pretend you haven’t. It collects and lets people know if their email has been found in a data breach or credentials are up in a paste.

I want to check to see if my email is there. Cool. I can go to the website and type in my email address and see where it’s been collected. Trust me. It’s been collected.

Now, let’s say I want to check on everyone in my family after I hear about a breach in the news? Or I run IT for a small org that has me do everything. Or I am in charge of making sure those in the C Suite are kept safe.

What can I do? I can pay a vendor a lot of money to “protect” me. I can pay for identity monitoring.

I can use the API.

I can also find a free script to run that will check this for me and give me the info I need with the freedom to change it for my needs.

There are many scripts out there that will do this. Here is one of them. Written in python.

By me. Using the API mentioned above.

Written a while ago – but updated recently do deal with the new API (which does cost $3.50/month to use – more on that here) I think it’s a good little ditty that will check one email or a set of emails from a file.

Who is this for?

First it was just for me, then my thoughts moved to the audience for this would be the family techie who is always watching out for the other, or the IT team of one for that small but very important organization without the huge budget.

Check it out…

https://github.com/m0nkeyplay/hibp_quickCheck

What more do you need?

No, really, what more do you want from it? Let me know and I’ll see what I can do.

My family, like many has been in stay at home for a while now. To the point where we are hearing about opening things up again – for the economy!™ Trust me. We want to get back out there. We want to mingle. We want to go to a restaurant. We want to go to a park and see our friends.

We have a 3 year old who for the first time is understanding a birthday party. And we want to give him it. But it’s in June.

We have camps contacting us about how we feel about whether we feel comfortable sending our child. We have the Y asking how we feel about starting up classes soon.

And my gut answer today is no. It is, I am sorry, no. I don’t feel comfortable going back to these things yet, no matter how much I want to. Not even for the economy! ™

Here is why. See. I know I am not the only person here. I know I am not the only person with kids and with parents. I want my kids to see my parents. They dearly miss their grandma who is close and those who are far. I want them to safely see each other. And we can’t. We can’t do that in May. We can’t do that in June if the kids are in the camps that they really want to reopen – because nothing has changed.

Yes. Those who are dying may get to a hospital, but the rules and ways for that to happen are too slim to risk my mother for that.

Listen, I trust my governor. He speaks with honesty and more honesty and I believe when he says he’s working for the best and if what’s happening isn’t for the best, they will work to change it.

I trust my mayor. He and the town are doing all they can to help everyone out.

I trust my doctor. She is who I will go to when I need to ask questions.

But this is where the trust stops – and I need more trust than that. I need trust that If my doctor says – hey, you or your family need a test – that my family will get it. No questions asked.

And you know what? I don’t trust my health insurer or the federal government to provide that unless we are damn sure to become a statistic. The government meant to protect us all wants nothing to do with us. They don’t want to help. Nothing new has come out to help people when we do open up. No guaranteed help for those who need it. No help to detect and prevent in all the time we have been asked to stay inside. Only blame.

The only reason my health care provider is providing testing is because it was mandated. Until the day it was noted they would be paid back, it was considered part of our deductible, and to this day, we need to get our sick body to a CDC approved testing site. And, while I am in the midwest, I am in a major metro area where there isn’t one.

So, my doc can try to help our family. My local government is trying to keep us safe, but until the insurers want to help and the feds are more worried about keeping people healthy and alive than how they are looking, I can’t open up and go back to trotting around.

I don’t want my kids to make my mom sick. I don’t want to make my mom sick.

I know there will be tests. There will be things we can do to keep everyone safe. Until that comes about… Until it’s available to all… I don’t know how to properly move forward.

iOS Version – what info does it reveal?

Scrolling through Twitter this evening and I came across this.

It reminded me of when the NSA release Ghridra, but from the people who brought us Mulder and Scully. I love Mulder and Scully.

Having been playing around to see who apps are talking to this seemed like a good one.

I downloaded the app. It did not ask for permission to use anything on my phone. Before I could use it, I needed to agree to their rather simple privacy statement (there was also a health statement that was a bit longer above).

So, according to this info is only stored on my phone and not transmitted to, or saved by, the F B I (say it like Mulder).

They also wanted me to tell them my sex. I could change that at any time.

Then I tried to do the sit up challenge. Okay, I moved it like a shake weight in my arm, but did the challenge to see what happened.

This was a very limited test, but the app is rather limited, so I stopped there.

What did I find?

First, the app did talk. It didn’t talk to the FBI. It did talk to the folks the FBI hired out to make the app.

So, what did it send this oh so trusting app developer who provide stats for all tiers of the apps?

Really, not that much exciting stuff. It did use a hardware identifier that I can not identify from my device, but it did use this in each post to the developer.

{
    "os": {
      "name": "ios",
      "version": "13.3.1"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    }

It also noted when I started the situps test, but nothing really more exciting than that.

    "app": "bd1eca37-c244-4ebf-9999-50dfa4fc62e7",
    "id": "1D42EEBB-5E74-4D66-A79F-A653AD407E3B",
    "event": "iphone.Sit-Ups Test Started.",
    "data": {
      "sdk_version": "8.0.2",
      "app_name": "FitTest",
      "timezone": -300,
      "app_id": "com.fbi.fittest"
    },
    "hardware": {
      "id": "A444626E-0AC8-4951-B70C-FD6E6240967F",
      "name": "iPhone9,1",
      "arch": "arm64"
    },

It didn’t send my chosen sex at any time. It didn’t even send how awesome I was when I finished my “situps”. It just moved onto the next screen I looked at and did this for each screen.

I didn’t leave it running in the background and keep seeing what was happening. I didn’t do any big isolation tests and didn’t install on an android device to see what happens, so this really isn’t very complete.

What I do know though is my daily yoga app that I love and pay for talks to more places just when I start it up, then this app did when I gave it a quick run though.

Would I use the app? No. Out of privacy concerns? No.

How did I catch the data? That’s here.

Thanks!