blog.mirabellette.eu

A blog about digital independence and autonomy

Some news about the blog 4 : June 2018

Written by Mirabellette / 10 july 2018 / no comments

Hello everyone

I decided to publish each month an article about the blog in general. In this article, you will be able to know:

  • What I achieved during this period.
  • What I accomplished for the community.
  • How is the blog and services popular.
  • Balance sheet of the period.
  • Some words about what I think for the next period.

This article is about the month of June 2018.

Period achievements

Articles

01/06/2018

Events

  • Nothin special during the month of June.

The blog

  • Improve the accuracy of the statistic tool.

Give back to the community

  • A little donation as each month for an association or service I find useful.

Balance sheet of the period

Statistics for this period

I continued to improve the quality of the statistic tool. I think It currently filters 95% to 100% of bots or attacks. The data analyzed should since the middle of June be very close to the real human traffic.

The article of June was read by a really few numbers of people. As it wasn't about technology, I talked about it only in Mastodon. For me, it was an important article because philosophy and responsibility should be behind each of our action. It is not the truth, because it is very hard to do it but it should be.

More details about the statistic of the month:

view_this_monthdays_with_most_read most_article_read referer
  • Pages were viewed 400 times this month.
  • The article the most read this month was the translation of the hosting of Firefox bookmarks with 234 views.
  • The second article the most read was the orignal article of the hosting of Firefox bookmarks with 65 views.
  • The third article the most read was the article of the month of June, the knower oath with 25 views.
  • Once again, most visitors came from journalduhacker

Contrary to the month of May, I got "just" 450 views for the blog. I am not disappointed at all. Its still something huge for me. Even if only one reader finds my articles useful, it will be a success for me.

My point of view

I didn't do a lot of things during this period. I was quite busy and I didn't write the page about how I manage personal data. The only personal data I stored are ips address for one month and referer. This helps me to have better accurate statistics and to respect European law.

For the next month

  • I still have to publish a page about the data I manage here regarding to the GDPR. It will contains information about the statistic tool I build and why I collect data.

Classified in : Blog / Tags : none

Important principles in cybersecurity - 1

Written by Mirabellette / 01 july 2018 / no comments

Introduction

This blog is focused on privacy and digital autonomy. However, digital privacy could not be possible if you do not know about cybersecurity. Today, I would like to discuss cybersecurity and especially about principles, I think they are important to keep in mind when you begin to think about cybersecurity. This is the first article of a series of I think two or three articles. To begin with, nothing better than to define the terms. Let's listen what Wikipedia say about cybersecurity:

Cybersecurity, computer security or IT security is the protection of computer systems from the theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.
Cybersecurity includes controlling physical access to system hardware, as well as protecting against harm that may be done via network access, malicious data and code injection. Also, due to malpractice by operators, whether intentional or accidental, IT security personnel are susceptible to being tricked into deviating from secure procedures through various methods of social engineering.

The important principles

Security is a process, not a product

During one of my previous jobs, a client asked me about what I am concerned the more about security in the company IT service. They have devices which are used by a thousand clients, cloud systems, and websites. For me, they have multiple weaknesses which could be abused, but I decided to say an unexpected answer. My most important concern was about how they manage cybersecurity. Security threats and vulnerabilities will always occur, it is inherent to computer science and product. What it makes the difference is how you manage it.

As often, I don't get the idea from nowhere. It is a famous quote from Bruce Schneier. Why security is a process and not a product. Threats and counter measure constantly evolve. Even if you enable every security feature today, at year +1 or year +3 you will have something to do to be "secured".

Some example here of things you should do manually:

  • Enable new security features, SE Linux, Content Security policies ...
  • Replace old cryptographic cipher by new
  • Verify update were done, some update could disable automatic update, Wordpress did once.
  • Law evolves and you should add new features or modify some, GDPR for the last well know example
  • Dealing with a compromised system
  • Dealing with a world breaker vulnerability (hihi hearthbleed)

Nothing is invulnerable

invulnerable

I am sorry to tell you but, if you think your system can be invulnerable, you should probably need to make some research about that. Even a computer not connected to the internet could be compromised. Stuxnet did well with disturbing Iranian nuclear plants in 2012. Nuclear plants which were not connected to the internet and run on a specific system. The only thing you can do to protect your systems it is to have a good cybersecurity policy and dedicate time to work on this.

Another good example, with this important rule, is in cryptography. A lot of people recommended to store data in Google, Microsoft or Amazon cloud services. When you asked them about privacy, they just replied by encrypting it and it is ok. I am sorry, but it is not ok, not ok at all. Do you really think a file encrypted with nowadays technology could resist in 5 years, 10 years or 20 years to the technology improvement? Even the highest secure current cryptographic standard will be broken in a reasonable time in 30 years, probably before. If you want to know more, you just have to make some research about quantum computing .

Cybersecurity is not easy

I read in some place that cybersecurity is easy. You just have to do this and this and this and you are secure. Or doing this and this and this and you have now compromised 10000 computers. Yes, but in no. I am sorry to tell you, but in general, in computer science, it is not doing the thing which is complicated. What is complicated is to understand how it works behind and to model the solution. This took plenty of time and required dedication and abnegation. An example, who is coming to my mind is when hackers made presentations about offensive cybersecurity. They often say it requires just 10 lines of codes to take control of something.

For me, they are all newbies. First of all, because they need 6 lines of code whereas you can do it in one line code (troll inside :p). Secondly, because the number of lines is not the point. The hard part of hacking is not writing a code, it is understanding how it works and how to make things together. If you show how to compromise a camera linked to a computer connected to the same Wifi you use, you need at least to understand:

  • How a local network works
  • Which system is connected
  • How to identify if it is vulnerable
  • How to penetrate to him
  • Which kind of print you let behind you

If you don't understand one of this step, you are a script kiddy which does things without understanding what he is doing. When I began this part by saying they are all newbie, It has been just provocative. I have an immense respect for other people and I truly know that I know just a few things with a lot of things I ignore.

Cybersecurity cursor is dictated by threats and associated risks

As for development, you need to have a cursor in order to avoid to spend your time in tasks which are not very important or, in cybersecurity, fighting against nonexistent risks. I think the most relevant indicator is the threat model. What do I have to protect against? If I have to protect against a government agency, I will tell you honestly, it is lost. If they really want to catch you, they can deal with it. In this case, the best thing to work around is to avoid to interest them in doing a bad thing.

My case is a little bit different because I am passionate about defensive security and work in this field. That's why I try to have the most secure stuff as possible. Even doing that, I know it is not enough, I accept it. Knowing threats and associated risks will help you to know what you have to prioritize. For example, if you are an unknown blogger as I am with an online website. I should not interest government agency or professional black hacker so I attached a very low probability to be attacked by them (still a possibility, you never know). I should also be attacked only by internet. If I do something offline, It should be "safe".

So, in my current situation, the most likely threats will come from the internet. It should be from bots. The second one in my threat model list is another blogger/tech guy which dislikes me or try to discredit me. This kind of person could have a high skill in computer science. That means they will probably attack the website with more specific tools than bots have but they will not persevere a lot (I hope). That's why I decided to set a security level to at least moderate (from my security ladder, a high level means the system should be able to resist to a professional pirate and a very high level means for me the system should be able to resist to a government agency).

In my scenario, I have to deploy and enable features to resist to bots and most common weaknesses. Concretely, that's why I decided to use Pluxml product. It is far less popular than Wordpress and Joomla that means bad people will less look for vulnerability and if they find one, there are few chances It was included in a bot. However, the maintenance of PluXml is currently quite abandoned, that is a problem and I will probably have to switch to another product. A high level of security would imply a static website, no available services; a very high level of security, no website at all.

Conclusion

I hope you enjoy this first article about cybersecurity. The tone I used was a little bit more engaged than usual.
Feel free to comment if you want to add ideas or discuss it. If you find this article useful, you can subscribe the RSS flux of the blog or follow me on Mastodon. Don't hesitate to share it if you think it could interest someone.

Some news about the blog 3 : May 2018

Written by Mirabellette / 10 june 2018 / no comments

Hello everyone

I decided to publish each month an article about the life of the blog in general. In this article, you will be able to know close

  • What I achieved during this period
  • What I accomplished for the community
  • How is the blog and services popular
  • Balance sheet of the period
  • Some words about what I think for the next period

Contrary to the previous articles, I decided to now split period by month. I think it will be more logical and easy to analyze. This article is about the month of May 2018.

Period achievements

Articles

  • In accordance with what I said last month, the article of the previous month wasn't technical but philosophic. It is an article about a transposition of the Hippocratic oath to the field of knowledge.
  • I got multiple demands from the French community to translate the article I published about hosting Firefox bookmarks. I translated it from English to French and improved both of them.

Events

  • Some little issues about the web server configuration. The security level of the services were decreased thanks to let's Encrypt which add a new line in the virtual host configuration. It is now fixed.

The blog

I work quite a lot about the blog this month. I think the blog is currently quite pretty and works well enough. That's why I decided to improve the Search Engine Optimization, to improve how fast the blog is loading and have better statistic.

  • Change the title of the blog from Mirabellette.eu to blog.mirabellette.eu
  • Compressed image from png to jpg format
  • Added a favicon
  • Renamed link in order to display text instead of link
  • I enabled the cache in the server web about static contents (css, javascript)
  • I reduce the CSS used by the blog in order to have just what is is needed

Give back to the community

  • One issue about Shaarli. The server web configuration fulfill in the documentation didn't work when you have a reverse proxy. The issue was tagged as documentation issue. I plan to fix it.
  • One pull request accepted in crawler-user-agent about adding new bot.
  • I publish an article from Tuxicoman on the journalduhacker which got a high score (21)
  • Approximately 10 comments in the journalduhacker in share knowledge or point of view.
  • A little donation as each month for an association or service I find useful.

Balance sheet of the period

Statistics for this period

I worked quite a lot on this field and I am very happy to be able to have "real" statistic about the blog. I installed Matomo than disabled it when I understood how intrusive it was. That's why I created a tool to have statistic and graph from anonymous data. You can find the most important statistic of the month below.

view_this_monthdays_with_most_read most_article_read referer
  • Pages were viewed 3250 pages this month.
  • The article the most read this month was the translation of the hosting of Firefox bookmarks with 1790 views
  • The second article the most read this month was the original article about how to host of Firefox bookmarks with 1790 views
  • Most visitors came from journalduhacker
  • Even if it is not very visible in the graphic, Mastodon was also a very important source of visitors

For me it is an unbelievable success, I never expect so much views. I will continue to fulfill interesting article.

My point of view

When I see back about the period, I am happy to what I done. The blog and the Search Engine Optimization was improved quite. I am very happy about how many visitors I got for this month. However, I feel like I don't give back enough for what I received.

For the next month

  • I don't know currently what I will talk for the next month technical article. I will not have a lot of time and I am hesitating between subjects.
  • I will publish a page about the data I managing here regarding to the GDPR. It will contains information about the statistic tool I build and why I collect data.
  • I am feeling I should give more of my time this month for the community. I will figure that.

Classified in : Blog / Tags : none

The Knower Oath

Written by Mirabellette / 01 june 2018 / no comments

Introduction

Hello everyone,

As I said in the monthly article about the blog, I will not talk about technical stuff or privacy concerns. Actually, I will talk about philosophy. Probably the only one article I write here about that. First of all because it is not the main topic of this blog, secondly because Internet never forget.

When I was strolling on Internet, I find a really interesting article from Freetux about the Hippocratic Oath. He transformed and adapted it to the job of system administrator. The oath of Hippocratic is today an ideal that doctors tried to pursuit. There is no law obligation

Today, I will try to do the a similar exercise. Contrary to FreeTux, I will not restrain it to the job of system administrator. I want to open the original scope to them which has knowledge. I choose also to be more faithful to the original version. I choose the version from wikipedia and translated by James Loeb.

The oaths

hippocraticoath

The Hippocratic Oath

I swear by Apollo the Healer, by Asclepius, by Hygieia, by Panacea, and by all the gods and goddesses, making them my witnesses, that I will carry out, according to my ability and judgment, this oath and this indenture.

To hold my teacher in this art equal to my own parents; to make him partner in my livelihood; when he is in need of money to share mine with him; to consider his family as my own brothers, and to teach them this art, if they want to learn it, without fee or indenture; to impart precept, oral instruction, and all other instruction to my own sons, the sons of my teacher, and to indentured pupils who have taken the physician’s oath, but to nobody else.

I will use treatment to help the sick according to my ability and judgment, but never with a view to injury and wrong-doing. Neither will I administer a poison to anybody when asked to do so, nor will I suggest such a course. Similarly I will not give to a woman a pessary to cause abortion. But I will keep pure and holy both my life and my art. I will not use the knife, not even, verily, on sufferers from stone, but I will give place to such as are craftsmen therein.

Into whatsoever houses I enter, I will enter to help the sick, and I will abstain from all intentional wrong-doing and harm, especially from abusing the bodies of man or woman, bond or free. And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.

Now if I carry out this oath, and break it not, may I gain for ever reputation among all men for my life and for my art; but if I break it and forswear myself, may the opposite befall me.

The Knower Oath

I swear by Socrate the philosopher, by Mohandas Karamchand Gandhi, by Alan Mathison Turing, by Aaron Hillel Swartz, and by all the men and women, making them my witnesses, that I will carry out, according to ability and judgment, this oath and this indenture.

To hold my teachers in this art equal to my own parents; to make them partner in my livelihood; when they are in need of knowledge to share mine with them; to consider their family as my own family, and to teach them this art, if they want to learn it, without fee or indenture; to impart precept, oral instruction, and all other instruction to my own sons, the sons of the world, and to indentured pupils who have taken the knowledge’s oath, but to nobody else.

I will use my knowledge to solve issues according to my ability and judgment, but never with a view to make prejudice and wrong-doing. Neither will I hide truth to anybody when asked to do so, nor will I suggest such a course. Similarly I will not give to a people an advice to cause issues. But I will keep trust and clear both my life and my art. I will not use my knowledge, not even, verily, on sufferers from stone, but I will give place to such as are craftsmen therein.

Into whatsoever world I enter, real or digital, I will enter to help and share my knowledge, and I will abstain from all intentional wrong-doing and harm, especially from abusing the mind of man or woman, knower or ignorant. And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with person, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.

Now if I carry out this oath, and break it not, may I gain for ever reputation among all men for my life and for my art; but if I break it and forswear myself, may the opposite befall me.

Conclusion

I hope you find this article interesting and it helps you to think about your like and your own responsibility.

If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Héberger les marques pages Firefox - French version

Written by Mirabellette / 21 may 2018 / no comments

I received some demands to translate in French the article I made about hosting Firefox bookmarks with Syncserver. You can find below the French version of this article.

Introduction

Afin d'avancer dans mon projet d'indépendance numérique, j'ai décidé d'héberger moi même les marques-pages Firefox. J'utilise le navigateur Firefox de la fondation Mozilla et la fondation a mis à disposition sur Github le dépôt qui contient le nécessaire pour héberger les marques pages. Syncserver héberge uniquement les marques pages, il ne s'occupe pas de l'authentification. Cela signifie qu'en utilisant Syncserver, vous devrez toujours vous authentifiez auprès de Firefox puis vous récupérerez les marques-pages sur le serveur de votre choix. Pour également gérer le processus d'authentification, il faut installer Firefox Accounts Server.

firefox_logo

Syncserver a été assez pénible à déployer pour deux raisons. La première est que l'on ne trouve pas beaucoup d'information sur son fonctionnement, sur ce qu'il fait avec un dépôt Github assez brut de fonderie. La seconde est qu'il manque des éléments basique qui rendent le travail de déploiement un peu fastidieux. Pour déployer Syncserver correctement et faire ce tutorial, cela m'a pris environ 15 heures. Dans tous les cas, cela fonctionne désormais et vous avez désormais la possibilité de lire cet article. J'espère que vous le trouverai utile. :)

Le dépôt Github n'est pas très active, une version en 2018, 2017, 2016 et deux versions en 2015 et 2014. Pour suivre les mises-à-jours, vous pouvez ajouter le lien dudépôt à votre agrégateur RSS. Si l'on se réfère au passé, les mises-à-jours ne devraient pas être trop fréquentes.

Configurer Syncserver

  • L'installation a été faite sur une Debian Stretch 9.1
  • Pour compiler l'application, vous devez pouvoir vous connectez à internet ou à un dépôt Python afin de télécharger toutes les dépendances présentes dans le fichier requirements.txt
  • Installation des dépendences

    adduser --system --shell /usr/sbin/nologin --no-create-home firefox
    apt-get install python-dev git-core python-virtualenv g++ sqlite
    cd /opt
    sudo -u firefox git clone https://github.com/mozilla-services/syncserver

    Configuration de base

    La configuration de Syncserver se trouve dans le fichier syncserver.ini. Vous devez le modifier avant de compiler l'application sans quoi les paramètres ne seront pas pris en compte. Dans le fichier syncserver.ini, vous pouvez modifier la section [server:main] si le besoin s'en fait sentir. La configuration de base est fonctionnelle pour cette partie là. Afin de vous facilitez la vie, j'ai créé un fichier syncserver.ini presque bien configuré. Vous pouvez le trouver à cette adresse here (quelques modifications sont toujours nécessaires).

    Le paramètre public_url. Modifiez ce paramètre afin qu'il corresponde à l'url publique à travers laquelle sera accessible Syncserver même s'il s'agit d'une machine virtuelle ou un conteneur placé derrière un reverse proxy.

    public_url = https://example.com

    Le paramètre sqluri. J'ai décidé d'utiliser une base de données de type Sqlite pour conserver les marques pages car il utilise un moteur de base de données facile à sauvegarder. Vous pouvez choisir la base de données avec le moteur que vous voulez. Attention, si vous n'en définissez aucun, les marques pages seront stockés en mémoire RAM et supprimer au redémarrage de la machine. Pour utiliser une base de données Sqlite, vous devez remplacer le paramètre sqluri = sqlite:////tmp/syncserver.db by :

    sqluri = sqlite:////opt/syncserver/syncserver_data.db
    *//// signifie chemin absolu

    Le paramètre secret. Il est très vivement recommandé de générer une clé secrête. Cette clé est utilisé par les tokens d'authentification. Si vous ne le faites pas, Syncserver générera lui-même cette clé à chaque démarrage. Il peut arriver que la clé générée automatiquement soit faible, en cas de faible disponibilité de valeurs aléatoires. Pour générer une clé de façon solide, vous pouvez utiliser la commande suivante.

    head -c 20 /dev/urandom | sha1sum

    Le paramètre allowed_issuers. Dans le cas où vous utilisez le système d'authentification par défaut, vous pouvez n'autoriser que celui de Firefox ou bien le votre si vous en avez un à disposition.

    allowed_issuers = api.accounts.firefox.com

    Le paramètre force_wsgi_environ. J'ai configuré le serveur derrière un reverse proxy Apache2. J'ai fais quelques essais avec la valeur false mais cela ne fonctionnait pas. J'ai par conséquence créé une erreur sur le dépôt Github officiel du projet. On m'a alors conseillé de changer la valeur pour true, cela a fonctionne pour moi.

    force_wsgi_environ = true

    Compilation de l'application

    Rappel surement inutile, pensez bien à configurer Syncserver.ini avant de compiler l'application.

    cd /opt/syncserver
    sudo -u firefox make build
    sudo -u firefox make test

    Après cela, si vous executez la commande sudo -u firefox make serve, vous devriez voir quelques lignes indiquant que Syncserver est correctement lancé et écoute sur le port par défaut (si c'est le cas). Pour information, vous ne verrez pas de texte si la synchronisation de vos marques pages fonctionne ou non.

    Mise-à-jour

    Après avoir compilé l'application, vous devriez mainteant voir deux répertoires: syncserver.egg-info et local. Dans le cas où vous souhaitez mettre à jour Syncserver, vous devrez pensé à bien les supprimer.

    rm -r syncserver.egg-info
    rm -r local

    Apache2 virtualhost

    J'ai créé un virtualhost basique de type reverse proxy avec Apache2. Il redirige juste les flux vers l'adresse ip de votre choix. Vous pouvez trouver le script ici. Je n'ai pas eu besoin de le configurer avec wsgi car je redirige tous les flux directement vers le daemon python.

    Configuration du navigateur

    La procédure varie un petit peu selon que vous utilisiez Firefox sur mobile ou ordinateur de bureau. Cela peut également ne pas fonctionner pour les versions très anciennes du navigateur. Je vais uniquement présenté le processus pour la version bureau. Plus d'informations pour la configuration des autres versions accessibles ici

    • Saissisez “about:config” dans le champs url de votre navigateur

      about_config

      Vous devriez voir un écran d'avertissement, confirmer votre choix.

      warranty

    • Faite une recherche pour la clé qui porte le nom “identity.sync.tokenserver.uri”. Double cliquer sur la ligne et remplacer la valeur attribuée à cette clé par la valeur selon l'image et le texte ci-dessous.

      tokenserver_uri

      La syntaxe de la valeur doit être la suivante https://example.com/token/1.0/sync/1.5. Bien que la version actuelle soit la version 1.8, le chemin vers le fichier est resté avec la valeur 1.0/sync/1.5 ... * en cas de soucis, la valeur originale de votre navigateur est celle qui est affichée dans l'image ci-dessus: https://token.services.mozilla.com/1.0/sync/1.5

    • Déconnectez vous de votre compte Firefox puis redémarrez Mozilla Firefox afin que les modifications soient prises en compte. Une fois que la navigateur a redémarré, reconnectez-vous à votre compte firefox.

    Durcissement de la configuration et nettoyage

    Verrouillage de Syncserver

    Comme vous pouvez le voir, vous pouvez désormais enregistrer vos marques-pages sur le Syncserver de votre choix. Il est probable que vous souhaitiez limité l'accès à Syncserver à vous-même. Pour éviter qu'une autre personne puisse enregistrer ses données sur votre Syncserver, vous devez modifier le fichier syncserver.ini en modifiant le paramètre allow_new_users = false, supprimer les deux répetoires syncserver.egg-info et local et compilez une nouvelle fois l'application.

    vim syncserver.ini
    rm -r syncserver.egg-info
    rm -r local
    sudo -u firefox make build

    Script Systemd

    De façon surprenante, il n'y a pas de script Systemd, there is no Systemd script mis-à-disposition par le dépôt officiel. Vous pouvez utiliser celui que j'ai créé ici. Vous devez le mettre dans le répertoire /etc/systemd/system/ et executer systemctl daemon-reload then systemctl enable syncserver.service pour l'activer. Après cela, Syncserver démarrera automatiquement à chaque démarrage de la machine.

    Nettoyage

    Si vous avez installé le programme make et g++ pour compiler l'application, vous pouvez désormais le supprimer.

    apt purge make g++

    Bien sur, configurer le pare-feu correctement

    Sources

    Réseaux sociaux

    Si vous avez trouvé cet article interessant, vous pouvez vous abonnez au flux rss du blog et de me suivre sur Mastodon. Comme à l'usage, si vous pensez que cela peut intéresser une personne, vous pouvez le lui partager.