Archive | Other Computing RSS feed for this section

Remove files metadata with BatchPurifier

/ 17 May, 2012 / Other Computing / Permalink

BatchPurifier Lite review

Every time you create a document, take a digital photograph or edit a movie, hidden data called metadata will be embedded inside the file, that data can contain the author’s name,  date, software or camera used, copyright notices and even GPS Geolocation showing the exact location where a photograph was taken. BatchPurifier is a tool to remove metadata from dozens of different files, the Lite version reviewed here only works with .jpeg images.

Metadata found on JPEG files  

 Camera manufacturers and image editing software companies can come up with their own proprietary metadata embedding system embodying anything the developer wants to your photographs, typically a digital JPEG image metadata will contain:

  • EXIF (Exchangeable Image File Format) data automatically added to photos by all digital cameras and some scanners, details stored in EXIF show the date and time a photo was taken, camera brand and model, hardware unique serial number, exact location if the camera had GPS enabled (i.e. iPhone), and a small thumbnail of the photo that sometimes is not updated by software after you edit the image leading to a possible recovery of the original file.
  • XMP (Extensible Metadata Platform) is added by software tools and it contains details given by the user, like keywords, notes, description and category.
  • ICC profile contains colour management data used to be able to view a photograph in another device with different specs.
BatchPurifier image metadata removal

BatchPurifier image metadata removal

BatchPurifier Lite has a five step wizard interface guiding you through the metadata removing process giving substantial information on a side bar about what each acronym means, you can choose to only remove part of the hidden data ticking a checkbox next to each attribute, at the end you will be given the choice to save the image as new or overwrite the original file. It is possible to remove thousands of images metadata at once adding multiple jpegs or a whole folder including subfolders and even compressed .zip files with images inside.

Optionally there is no need to open up the program to clear an image metadata, BatchPurifier integrates with Windows shell menu, advanced users can use BatchPurifier from command line integrating it with a script, this could be used for example to automatically get rid of all metadata in files stored inside a certain folder .

Visit BatchPurifier homepage

0 Comments

Mymail-Crypt for Gmail GPG encryption (Chrome)

/ 15 May, 2012 / Other Computing / Permalink

Mymail-Crypt for Gmail

Mymail-Crypt is a Chrome browser addon to encrypt messages with GPG operating within Gmail webmail interface, the project aims to be OpenPGP compatible to be able to communicate with anybody using public key encryption even if they have different PGP or GPG software. After installing Mymail-Crypt you will have to generate your encryption keys, this can be done with the addon, entering a password is optional and highly recommended, if you don’t use a password anyone breaking into your Gmail account will be able to decrypt sign and encrypt messages supplanting your identity. Encryption keys can and must be backed up.

Mymail-Crypt is fairly easy to use, you will see a button in Gmail compose screen with the options “Encrypt and sign“, “Encrypt“, “Sign“. Received encrypted Gmail messages can be read using the drop down menu “Decrypt” option and entering your password.

MyMail-Crypt GPG Chrome Gmail

MyMail-Crypt GPG Chrome Gmail

The project uses an OpenPGP open source library called Openpgp.js , it runs locally in JavaScript, messages are encrypted/decrypted in your browser. This addon will stop Google and others from reading your emails during transit but email drafts and decrypted autosaves will be saved in the clear to Gmail servers, encryption only takes places after you click on the “Encrypt” button, it will not protect you while you are composing the message, the developer also warns that it is possible for Gmail to get hold of the encryption password  monitoring the user when he types it in.

Another way to encrypt Gmail messages with GPG is using Thunderbird and Enigmail but it won’t work for webmail, or obtaining a digital certificate for your email client.

Visit Mymail-Crypt Chrome store homepage

0 Comments

Dislocker, a free tool to decrypt Bitlocker volumes

/ 8 May, 2012 / Other Computing / Permalink

Bitlocker decryption

Dislocker is a Linux and Mac OS X computer forensics tool to read Bitlocker encrypted partitions, it can be used with FUSE (Filesystem in Userspace), a loadable Unix Kernel module, or without it, once the partition has been decrypted you can mount it as NTFS and read or copy everything.

Bitlocker is a Microsoft utility designed with businesses in mind to fully encrypt a hard drive, it is only available in Windows Ultimate, Enterprise and Server platforms, Windows 8 will include it too. The encryption key can be stored inside a Trusted Platform Module chip found in high end computer motherboards. Although there is not known Bitlocker backdoor most businesses will ask for a password recovery option, Bitlocker allows you to create a recovery key that can be printed or stored in external media.

Hard drive Bitlocker encryption

Hard drive Bitlocker encryption

Bitlocker uses AES encryption in CBC mode with an optional Elephant diffuser, the Full Volume Encryption Key (FVEK) will be the same size as the encryption strength used, i.e. when encrypted with AES128bit the FVEK is 128bits long, in AES256bit mode the FVEK is 256bits long and if the Elephant diffuser is used the encryption key will be 512 bits long.

Dislocker is not a tool to crack a Bitlocker encrypted drive, the idea is to help investigators who already own the recovery password, external key file (BEK) or a clear key to access the volume, other tools like Encase can already do that but they are not free like Dislocker. The only approach to break a fully encrypted drive is getting hold of the computer while it is switched on and extract the encryption keys from RAM or try to brute force the passphrase in case the user has been stupid enough to use a dictionary word.

Visit Dislocker homepage

0 Comments

SandCat browser for website penetration testing

/ 2 May, 2012 / Other Computing / Permalink

SandCat browser review

SandCat is a free portable penetration testing browser based on Chromium, the rendering engine behind Chrome browser, thanks to extensions support you can quickly find out what server software is being used by a website, run javascript in the loaded page, view cookies and links, use a cgi scanner, HTTP brute force a page and much more. Three tabs at the bottom of the browser allow you to easily change view from normal to source code or logs.

Coders can create their own browser extensions with HTML, CSS and Lua (a programming language), Syhunt, the browser developers, own RudaScript library allows you to execute any scripting language, like Ruby, Python, PHP, javascript, etc.

SandCat browser penetration testing

SandCat browser penetration testing

Although the browser is directed towards system administrators to test their own web server security and people scrutinizing pages that contain malware, privacy activists could use SandCat to see in real time how they are being tracked on the Internet, the browser can split its main window in half to show all HTTP live headers in real time on top of it, it can also be used to teach people how websites work, looking at the HTTP headers as you browse a website shows all of the external elements being download, packet sizes, request methods (GET/POST), pings, advertising networks, redirects… It is much more clear than seeing a website activity using a packet sniffer full of binary numbers that have to be grouped together.

The browser is too technical for the average user, unless you are a student, hardcore geek or professional PEN tester it wouldn’t make much sense for you to run SandCat.

Visit SandCat browser homepage

0 Comments

SPDY, a quicker and safer HTTP browser protocol

/ 29 April, 2012 / Other Computing / Permalink

SPDY protocol explained

SPDY, pronounced “speedy”, is a new experimental protocol developed by Google to speed up the Internet and make it safer. HTTP (Hypertext Transfer Protocol) was never designed to efficiently download a large number of small files, it was meant to attend a single request each time. As the Internet age advanced websites kept adding elements like CSS (Cascade Style Sheets), external javascript, XML and images, all of those multiple elements needed to be downloaded together for the user to be able to view a webpage, resulting in bottlenecks and delays.

The ultramodern SPDY protocol ambition is to reduce website load, latency and increase security, it wants to replace parts of the old HTTP providing faster communication in between server and browser. SPDY uses less TCP connections wrapping up multiplexing in a single stream and manages TCP more efficiently prioritizing the resources needed to be send first, reducing upstream data and cutting down the number of handshakes, it also supports “server push” a technology that predicts what will be downloaded next, sending it to the browser before a request is made.

SPDY protocol status in Chrome browser

SPDY protocol status in Chrome browser

SPDY is turned on by default in Google Chrome, see it by typing “chrome://net-internals” into the Omnibox, and Firefox will turn it on in their next Firefox 13 release, to enable it now, go to “about:config“, search for “network.http.spdy.enabled” and set it to “true“. An Apache server SPDY module exists and Nginx based servers (used by Facebook and Hulu) and Jetty web servers (Ubuntu, Zimbra) will support it soon making it easy for webmasters to deploy SPDY, the protocol won’t work unless server and browser both support it.

Browsers that currently work with SDPY are Chrome, Firefox, SeaMonkey and Amazon Kindle Silk, the only websites I know of at this time supporting SDPY are Google services (Gmail, search,etc) and Twitter. Safari and Internet Explorer do not have immediate plans to support the protocol leaving half of the Internet population out and making it more difficult for the Internet Engineering Task Force ( IETF) in charge of the HTTP protocol to approve a backwards compatible neutral standard.

Compulsory SSL connection 

The SPDY protocol makes it mandatory to encrypt all connections with websites using SSL, webmasters must install a SSL certificate in their servers for this endeavour. As good as it seems, various webmasters have objected to the approach arguing that when you multiply millions of SSL encryption and decryption requests the server CPU hardware needs a hardware upgrade and extra arrangements for heat dissipation provoking costs to go up.

The second problem is that  requiring all webmasters to have an SSL certificate will end up with many of them not bothering renewing the certificates and users will start to get used to see “expired digital certificate” warnings clicking on the ignore button without even reading it.

Read Google’s SPDY white paper

0 Comments

HotSpotShield alternative, free VPN SpotFlux

/ 25 April, 2012 / Other Computing / Permalink

SpotFlux review

Spotflux is a free VPN for Mac and Windows computers, it can help you get around censorship in countries where ISPs block websites, theoretically it can bypass computer Internet filters but it is not portable and you need administrator rights to install it, you won’t be able to use Spotflux in your college or workplace unless you have your own laptop.

I tested their speed from Europe a few times and it gave me a consistent 1MB/1.5MB, enough to stream online video, hoovering your mouse over the Windows tray will show your given IP,  Spotflux  provides a US computer IP allowing you to access CWTV, ABC, Pandora radio and other websites restricted to US residents only, I tried to watch Hulu and it worked fine, the same with Pandora Radio.

During installation the software will ask you to install a device driver and also to run Java, this is one part that I did not like, I have used multiple VPNs in the past and I have never been asked to run a Java app, Java runs locally in your computer it has been exploited in the past and it could endanger your security unless you are really sure that the place you downloaded it from is trustworthy.

Free VPN SpotFlux

Free VPN SpotFlux

Spotflux settings are very simple, consisting of automatic updates, proxy configuration and language interface. What makes this VPN different from others is that they scan and filter all pages you request for malware and viruses, tracking cookies are filtered out too. Nearly all advertisements are blocked. As a blogger I find this VPN unethical, the reason why I don’t update hacker10 more often is because the scarce income I make here does not justify my posting time. Browser addons blocking adverts allow people configuration options to only target websites abusing privacy and overdone with adverts, Spotflux block all sites, if you use them to visit your favourite sites you will deprive them from advert income and eventually kill the site.

Spotflux privacy policy doesn’t mention what logs they keep and how long for but they say that they will use deep packet inspection of user traffic to cooperate with law enforcement if necessary. This is definitely not a VPN to be used for privacy even if they claim so. I don’t know how they make money with it, I will speculate that Spotflux might start charging for extra services in the future. HotSpotShield privacy policy is equally bad but they don’t have any system in place filtering the sites you visit for “privacy reasons“. I would say that both VPNs, SpotFlux and HotSpotShield, are ok to watch US online TV and that is it,  never use a free VPN like them to check your email if you care about your online privacy.

Visit SpotFlux homepage

0 Comments

GPGAuth logs into a website using GPG/PGP keys

/ 21 April, 2012 / Other Computing / Permalink

GPG website authentication

GPGAuth is an authentication mechanism that allows you to use public/private encryption keys (GnuPG,PGP) to login into a website, there is no need to remember any password or username, GPG keys act as username and password verification is carried out in your browser, trust level for each website can be specified in GPGAuth options, like making sure that the User ID matching the domain has been signed by one of your trusted keys.

Keyloggers are easily defeated as you don’t have to type in anything, the server’s owner is given the public encryption key before hand making man in the middle attacks extremely difficult, with GPGAuth you won’t need to remember multiple passwords for every different site, it can be used as a single sign-on system, it is possible to create multiple User IDs from a solo GPG keypair, this allows for various online identities if needed.

Chrome GPG addon GPGAuth

Chrome GPG addon GPGAuth

The downside is that the website you are using must offer the possibility of using GPGAuth and it hasn’t exactly caught on. The browser addon is only avaible for the Chrome browser at the moment, the project uses the framework FireBreath to be cross compatible with Windows, Linux and Mac computers and all major browsers, there is no technical reason stopping it from being ported to other browsers addons in the future. If Chrome is your main browser you could use it in conjunction with WebPG, a GPG key management addon from the same author, otherwise you will need to have some kind of OpenPGP compatible software installed in your computer.

Visit GPGAuth homepage

0 Comments

Project Meshnet, censorship resistant darknet based on CJDNS

/ 18 April, 2012 / Other Computing / Permalink

Project Meshnet

CJDNS is an open source project building a censorship resistance decentralized network, the routing engine has been designed for security, scalability, speed and ease of use, CJDNS runs on top of your ISP network and provides you with an internal IPv6 address generated from a public encryption key.

A virtual network card (TUN device) is used to send data to anyone connected to the network, what makes CJDNS different from other decentralized P2P projects like PirateBox is that it is routable over the current Internet, nodes can be reached anywhere in the world. In the future, as the number of nodes increases, data packets can be sent wireless in ad-hoc mode. No DNS is required to access a node,  if DNS is ever implemented it will be made decentralized and secure, at the moment  the user only needs to know the IPv6 address and paste it in the browser.

Project MeshNet CJDNS darknet

Project MeshNet CJDNS flowchart

Man in the middle attacks are not possible because public key encryption is used to send packets, CJDNS provides privacy too, other users can’t locate people by simply looking up their internal IPv6 address, node operators could track a user down but only if the community helps them out. Unlike the tor network , the node operator that gave someone access to the mesh can deal with abuse and ban people, a CJDNS network abuse policy will have been democratically decided by those who are part of the network, stopping Government interference and frivolous multinational lawsuits. CJDNS is not trying to replace tor, it wants to replace the Internet, the idea is that with all hardware working in P2P mode a single person can’t be intimidated into shutting down the network,  there isn’t any central infrastructure that can be attacked.

Like with darknets, to join CJDNS you will first need a friend inside giving you access, once in the network you can connect to everyone else. Hyperboria is the main CJDNS network composed of dozens of nodes. To connect to the IPv6 addresses, Hyperboria sites, you will need to be running CJDNS, it doesn’t matter if your computer is using IPv4 as CJDNS encapsulates IPv6 into IPv4 packets for routing.

The network is resistant to Distributed Denial of Service ( DDoS ) because it has too many nodes to bring down, this makes CJDNS enduring to natural disasters too, there isn’t a single point of failure. CJDNS can be installed in OpenWRT routers, MAC and Linux computers, Windows is being tested on, hardware requirements are low and if you run a node you can host anything that doesn’t go against the community values.

Visit Project Meshnet homepage

1 Comment

Defeat DNS censorship with ODDNS P2P DNS

/ 13 April, 2012 / Other Computing / Permalink

ODDNS review

Doman Name System (DNS) is a technology that translates URL names into IP addresses, without DNS it would be impossible to type an easy to remember name in our browser toolbar we would be forced to remember computer IPs instead. DNS censorship is one of the most used systems to block websites, since all domains have to resolve in a nameserver it is possible to impede all request for a certain website on the central server, some ISPs in Europe already use this system to block websites serving what they consider to be child pornography and ISPs in China or Iran also use DNS blocking as part of their Internet filtering efforts. One way around is changing the default ISP DNS servers by unfiltered ones, if you would like to use a VPN in China, you should use something like Comodo DNS or it possibly won’t work.

Big multinationals running their own DNS servers block access through their network to websites that breach the company IT policy. It is possible for an IT department or ISP to serve a page not found or time out message when you attempt to visit a specific URL, they might or might not inform you that the page is blocked, it is up to them, they can even show you a fake page.

ODDNS decentralized P2P DNS

ODDNS decentralized P2P DNS

ODDNS (Open and Decentralized DNS)  is  an open source (GPL3) Peer-to-Peer DNS system that can act as an alternative or complement the conventional DNS system, webmasters can install it at home in their own computer, ideally a dedicated one, depending on load. ODDNS enables communication with other DNS servers working as a P2P client and server at the same time, there is no root server or domain registration authority (ICANN) involved in the running of the nameservers, only users.

The idea of using a decentralized DNS system is to stop censorship from any Government in the world and eliminate domain registrars, this makes domain seizure and blocking of websites impossible. Anyone running ODDNS can create and maintain his own domain name for free, the project success relies on the number of people running ODDNS in their computers.

Visit ODDNS homepage

Note: You need to have some basic Unix knowledge to run ODDNS in your computer.

2 Comments

List of free speech and offshore hosting companies

/ 29 March, 2012 / Other Computing / Permalink

Free speech webhosting

When choosing a free speech hosting company you should assess the kind of content you host, for example, in the USA although the 1st Amendment protects free speech a powerful multinational can try to get around it by launching a frivolous lawsuit that a small webmaster can’t fight in court due to lack of resources, and in China any pro Tibet website will be taken down by the Government.

You will leave tracks behind when you upload your site and make payments, these companies are not truly anonymous even thought some advertise as such, to host controversial content anonymously use tor hidden sites, i2P and Freenet, but they will only be reachable by people using the appropriate software.

Free speech hosting 

  • NearlyFreeSpeech: Pay as you go webhost based in the US, you only pay for the amount of bandwidth and storage space that your website uses, it runs its own custom hosting panel. As long as your content is legal in the US, where their servers are based, you will never be asked to take the content down. Ideal shared hosting for small websites.
  • Privacy.li: Offering privacy hosting in the US, EU, Asia and Russia, they claim that hosting controversial websites is not a problem even giving examples of controversial websites, like those selling cannabis, for which they recommend the Dutch server, fake Rolex watches for which they recommend hosting in Hong Kong and so on.
  • Anonymous Speech: Servers located in Asia, it can be paid using cash, Paypal or credit card, this company also provides anonymous domain name registration and encrypted email services that do not keep logs. They offer shared and dedicated hosting, it allows for the creation of sub domains and comes with a free secure email account.
  • Invisihosting: Affordable hosting for small websites, VPS can be arranged if needed. The company claims that as long as the content is legal they will ignore all requests to take it down. Warez and torrent trackers are specifically banned as they infringe copyright laws.
  • CrisisHost: Small company with servers and HQ located in the US, it offers shared hosting packages with cPanel and SQL database, payable yearly.
  • Zentek International: Based in Hong Kong, they provide shared, dedicated and collocation services, the company claims that you can host anything you want, but no spamming allowed. Payments can be made by credit card, Paypal, cash in the mail, bank wire or Western Union.
  • PRQ.se: Servers and company located in Sweden, if your content is legal in Sweden they will host it, no questions asked. They maintain minimum information about their customers and very few logs, PRQ used to host Wikileaks and other highly controversial content, support for SQL databases, SSL certificates and DNS.

 Offshore hosting

The following hosts have a free speech policy that comes with restrictions, even if your content is legal they can refuse to host it, the only advantage over other traditional hosting is that their servers are offshore.

  • ZenSurfrei: Specialist in offering hosting for neonazi websites in a USA server, where, unlike some European countries, they allow this kind of material. Everything is paid with cash inside an envelope, including the domain name, this guarantees webmaster anonymity.
  • Hosting DoD: Project DoD hosting is managed by a non for profit group, they do not allow porn or sites or content offensive for any ethnic group. You can choose to have a dod.net subdomain name instead of registering your own.
  • 1984 Hosting: Company and servers are all based in Iceland, they will ignore all complaints against legal websites with the exception of racist or pro-pedophilia content, which is not allowed.
  • CCiHosting: Operated and hosted in Panama, offering Linux and Windows servers, they advertise their services as anonymous webhosting. Support provided via live chat or phone.
  • Ctyme: Based in the USA, they do not allow hosting of content like fiction child sex stories, even thought they are legal in the US, not sure about how their “free speech” policy is any better than HostGator or any other major US.
  • AnonymousHosting.in:  The company is registered in privacy friendly Seychelles and has a no information exchange policy with complaints, the servers are located in the Netherlands. Pharmaceutical sites are welcome, racist, any type of child porn, hacking and warez are all banned.
  •  YoHost: Their terms and conditions claims that you can not use their servers to host any kind of porn, sites encouraging the destruction of property will also be removed as well as phishing scams. They only rent a VPS or full server and YoHost will collaborate with law enforcement if criminal content is found.
  • KatzGlobal: Offering hosting in multiple Asian locations (Singapore, China, India, Malaysia, Australia) as well as hosting in the US. They use cPanel and have standard features that come with it, like SQL database, FTP access and POP3 mail boxes. There is no support to host multiple domains on a single account.
  • SecureHost: Located in the Bahamas, it provides dedicated, shared and VPS hosting, they also provide a Bahamas based phone number and fax which messages can be retrieved from abroad. Their terms and conditions state that you can not host anything that SecureHost judges to be harmful to their reputation.
  • Cinipac: Based in Panama, they claim they will not cooperate with authorities or institutions without a proper warrant. Hosting servers are available in the USA, Asia and Europe. The usual phishing, spam and terrorist groups hosting is banned. Backups are encrypted with AES256.

0 Comments