Thursday, December 26, 2013

The Drone Survival Guide

Drones have become all the rage in the US millitary arsenal.  An important part of the United States' war stratagy, these small, cost-efficient, and deadly machines are operational in several Middle Eastern countries.  They are often used to kill those labeled as insurgents and often terrorize small children and innocents.

But even with their sophisticated computer hardware, optics, and sensors, drones can be evaded and even fooled. A document called "The Drone Survival Guide" was recently posted to the Internet and it details how to do just those very things. Because I believe the site hosting the guide will likely be taken down at some point due to pressure from the US Government, I'm reposting the file here. Please feel free to download it and, if you can, share it as widely as possible.

You can download the file by clicking here.





Tuesday, December 10, 2013

Sorry for the lag

Just wanted to apologize for not posting the next installment of 'Programmer Life' on schedule. I was in the hospital for almost a week and am still playing catch-up with work and life. The next installment of the series will be posted next Sunday on schedule.

Thanks for your patience!

Sunday, November 10, 2013

Programmer Life: A Method to our Maddness

In our last installment, we learned that everything we see, whether it's in programming or life, is either an object, a property, or a method. We also explored how we use objects to describe abstract concepts so that we can write reusable code.  But objects are only the beginning of our journey.  They are pretty useless unless we can make them do something.  A car wouldn't be very valuable to you unless you could make it go forward, turn left, go backward, stop, that sort of thing.

So, today, we're going to look at the concept of methods in Object Oriented Programming.

What is a Method?

In simple terms, a method is a little chuck of code that makes something happen within an object. Almost all programming languges, including those that are not OOP based, have the concept of methods. Some of them call them functions or subroutines but the fact is that, whatever they're called, they do the same thing: do something.

How are Methods Used?

Methods are usually fairly easy to use. Let's look at our car class from last lesson with a stop_moving() method added:

public Class Car{

public  int yearMade;
public  String make;
public  String model;
public  String color;

public  bool stopMoving(){
    return true;
}
}

Car myCar = new Car();

myCar.yearMade = "2014";
myCar.make = "Ford";
myCar.model = "Fusion";
myCar.Color = "Black";

bool isCarMoving;

isCarMoving = myCar.stopMoving();

if (isCarMoving == true){
   System.out.println("The car is not moving!");
else{
   System.out.println("The car is still moving!");
}

As you can see above, we've added a method to Car that makes it do something. In our simple code, all we do is return a value but, if this were real code, we'd probably send a message to the car telling to stop then returning true or false depending on if it actually stopped or not. But we're trying to keep things simple in this example so we're just going to return a value.

As you might be seeing, the idea behind classes and methods are to abstract the code from the programmer as much as possible. For example, if someone tells me how to issue the call to Car() to stop the car from moving (car.stopMoving()) then I don't have to know how the code stops the car from moving. I just need to know that it does and what values it returns so I can check if the car has stopped. It makes programming a little easier and means the programmer doesn't have to worry about the dirty implementation details.

So that's how methods work! In our next installment, we're going to build out our method a bit more using more properties and interaction to make it more useful. We'll also explore how you can pass arguments into your methods so that they can work with outside data  Be sure to check back then!

 

Sunday, October 27, 2013

Programmer Life: An Introduction to Object Oriented Programming

Lately, I've been talking to a lot more people who are opting out of the traditional 'let's go to college and get a Computer Science degree' and, instead, teaching themselves how to program. For someone who learns quickly, is highly motivated, and has a strong interest in the subject, this can be an excellent route to take and can get you into a working position in the industry remarkably quickly.

So I've decided to start a biweekly column on this blog to contribute to that effort. The column will be called, as you might have already guessed, "Programmer Life" and we're going to cover all of the fundamentals you need to know in order to become a working programmer, broken down into short, easily understandable chunks.

This week, we're going to start discussing one of the most widely used methodologies in the modern software development world: object oriented programming. You've probably heard that term before and it might have confused you. Let's see if we can take away some of that confusion.

First, let's start with a basic truth: everything is either an object, a property, or a method. For the most part, that can be extended even into real life. Think about that for a second. Think about your car (an object). It has properties (color, make, model, etc) and  methods (go forward, turn left, etc). So how would we represent a car in code? Probably much like this: 

public Class Car{
    public int yearMade;
    public String make;
    public String model;
    public String color;
}

With the code above, we have everything to need to describe any car in code because all cars share a common set of attributes. So, how to we represent a Black 2014 Ford Fusion using this code? Pretty easily:

Car myCar = new Car();
myCar.yearMade = 2014;
myCar.Make = "Ford";
myCar.Model = "Fusion";
myCar.Color = "Black";

Pretty easy, huh? We could just as easily represent a 2013 Chevy Malibu or a 1978 Grand Am. Because all cars share these common properties, we don't have to rewrite the same code for every single vehicle we define. We simply define a new instance (called instantiation) of a class of object we've already defined.

So that's a quick and dirty introduction to OOP. In our next column, we'll discuss how we make our objects do something using methods.  Until then, go play around with code!



We need more AnonyMail servers to strengthen anonymity. Can you help?

One of the strengths of AnonyMail is that it completely separates the sender of an email from the received. By the time an email reaches its recipient, it's impossible for that person to tell who sent that email or from where. This is because AnonyMail routes messages through several 'hops' before they are delivered to their final destination and those hops are all run by volunteers.

But we need more volunteers!

In order to keep users of AnonyMail safe, we need as large and robust a network as possible. The more hop servers there are, the harder it is for anyone, including governments, to accurately track an email message as it's working its way through the Internet. Right now, we have a little less than 40 servers but we need more. We need you.

If you'd like to run a hop server, it's easy and doesn't require much at all. In fact, if you have a place you're hosting a website that can also send email from PHP, you've probably already got everything you need.

If you're interested in running a hop server, please send me an email at anthonyp@netscaletech.com and I'll get you what you need. It doesn't cost anything but a little time and you're helping protect privacy around the Internet.

Friday, October 25, 2013

AnonyMail2 has been released!

If you've followed this blog for a while, you probably know that I write a little program called AnonyMail. AnonyMail isn't sexy software or software that will help you be more productive or get a date but it's software that does one thing and does it well: it protects your privacy when sending email.

AnonyMail began life last year as a side project that I thought might be useful. Then we found out that the US National Security Agency was spying on the world and the project became much more important to me. It became so important, in fact, that I formally brought it into my company as a product.

Now, after three months work, I'm proud to announce the release of AnonyMail2. AnonyMail2 takes the software to places I didn't even think of in version 1.

New Features Include:
  • Multi-hop message delivery to fully hide your true location
  • The ability to route your message through the Tor network
  • Arbitrary sized message padding to defeat traffic analysis
  • Strong, encrypted, connections to the server for message delivery
As of today, the Windows version of AnonyMail2 is available for immediate direct purchase from our GumRoad sales site. Versions for Ubuntu and Mac are coming as soon as we get approved in the respective app stores.

Thursday, October 24, 2013

Oh Look! A New and Awesome Podcast!

Let's face it: there are a lot of podcasts out there. Whatever you're interested in, there's probably a group of people sitting in front of microphones talking about it, ranting about it, and creating content around it. Unfortunately, a lot of this content is kind of...how do I put this nicely...crap.  Finding podcasts isn't hard at all. Finding really good podcasts can be a bit of a challenge.  That's why I got so excited when some of my favorite tech people on the planet, Bryan Lunduke, Jono Bacon, Stuart Langridge, and Jeremy Garcia announced the flagship episode of their new podcast "Bad Voltage".

Bad Voltage is everything I want in a podcast. It's got tech talk from people who actually know what they're talking about, it's got music, it's got humor, it's just about the perfect podcast. I'm listening to the first episode right now and, I have to say, I'm pleasantly blown away by it. For the first time in a long time, I'm hearing a podcast that doesn't bore me to tears, has good production quality (this is important, listen to some of the other crap out there. You'll understand), and is has people who aren't just in it for the clicks but actually care about the topic they're talking about.

So if you get a chance, hop on over the the Bad Voltage website and listen to the first episode. I guarantee that, once you do, you'll be hooked!




Wednesday, October 23, 2013

Looking for a job as a software developer? Learn to use Git!

Over the last few years, Git has emerged to become the dominant source control platform in the software development world. Everyone uses Git, from small open source projects to large commercial endeavors dealing with hundreds of millions of lines of code. So you'd think that every software developer, especially those coming fresh out of university, would have a good, solid, complete, understanding of the technology.

You would have thought wrong.

Over the last few weeks, I've had at least 15 discussions with programmers who are  either just out of college or current in their final year. Of those 15 or so people, all of whom are going to graduate and end up in software development jobs, only 5 understood how to properly use Git and only 2-3 could tell me why they should use it over another 'source control' method such as FTP or Dropbox.

These are the developers who are going to be working in your company one day soon and they are going to destroy your source code backups because they have no earthly idea, in many cases, how to even do a basic check-in/check-out. These are the programmers that are going to lose their companies millions of dollars in lost productivity by blowing away source code and wasting other developers time as they learn, on the job, how to use a basic source control system.

Colleges: get on the ball! I understand that you can't cover 'everything' in your programs. But by not teaching your students some sort of source control, you are handicapping them and you are overburdening the companies they will end up working for with the task of having to teach them things they should already know. I'm not saying teach Git specifically, but teach something. Or, at the very least, impress upon them why they need source control.

Programmers: you will be the future of software development and on the tip of the spear of the coolest technologies of tomorrow. Your colleagues are going to hate you if you don't come to the job prepared with the skills you're going to need to be successful. I'm not talking a mild 'I don't really care for the guy' type of feeling. I mean abject and pure hate.  For the love of god, if your school isn't teaching you source control, take it upon yourself to learn it. Go to Amazon and buy a book, go online and read a tutorial, go to Code Academy and take the free course. Whatever you do, learn how not to destroy yours and others work!

This might come across as a bit of a rant. If you think it is, I invite you to revisit this blog post after your fresh new college graduate blows away your source tree that's been years in the making. You'll likely see it differently then.



Tuesday, October 22, 2013

Looking for Secure Email? Check out Runbox!

I'm always looking to increase the security of my online communication. It's why I use Jitsi for encrypted voice and video chat and why I use PGP to encrypt my email so only those I send it to can read it. But there's been one problem that I've not yet overcome and that's the one of finding an email provider that not only values my privacy as much as I do but actually does things to make sure that privacy is protected.

Like most of you, I've used several of the big, free, commercial email providers out there. The problem is, I know there's no such thing as free. We pay for these products, not in cash, but in the abdication of our privacy.  As they say, if you're not paying for a product, there's a good chance you are the product. The free providers, while dumping a lot of goodies in our laps, don't have any incentive to protect our privacy. Sure, they take basic steps to stop hackers from ravaging our email and files, but they will usually turn over pretty easily in the face of a government request. That turnover might be handing over the contents of a single users email or as big of a deal as handing over their SSL keys so that any traffic between a remote PC and their servers can be decrypted.  You just don't know and, from the things Edward J. Snowden has revealed, we can safely assume that privacy, at least with US based services, simply doesn't exist.

So I went shopping. I specifically started looking for email providers outside of the US, in countries that had both a technical and  a legal framework for protecting user privacy. The country I found that fit the legal framework was Norway and the company I found was Runbox.

Runbox is amazing.  First, the company is not a large, multi-national giant. It's largely employee owned and the employees take a direct hand in the business. Second, they are committed to open source principles and actually use open source software to run their business. But that's not the best part. The best part is that these guys believe in protecting the privacy of their users.


Using technology like perfect forward secrecy, the company makes it virtually impossible for anyone to eavesdrop on your connection to their server. Because of the way PFS works, they could literally hand over their private keys to a government and users would STILL be protected.

Next, the way Runbox stores your mail is unique in that they stick it in a giant, semi-anonymous pool with thousands of other messages. Grabbing this pool, which is encrypted, is useless as it's nearly impossible to identify which message belongs to which users.

Finally, and this is a very cool thing, email messages sent between Runbox users never go over the Internet at all. They are simply transferred via their internal network and that's that.

Those are a few of the technical tools that Runbox uses to protect our privacy. But there's also a legal aspect too that is just as important.

Because of the type of service Runbox is, they are not required to log anything about their users. This means that they can choose not to log connections so that there is nothing to turn over should a court request come.

Additionally, Norway, the country that Runbox operates in, has a strong history of erring on the side of privacy. They opposed the European Unions data retention laws and routinely side with users on issues effecting their privacy. They also don't automatically assume that a corporations needs outweigh a users right to privacy and have, in the past, not handed over data on file sharers to courts requesting such data.

All in all, I think I've found the perfect solution to my email needs. And, best of all, it's affordable too. I pay only $39 a year for a decent sized email box and a great web based email client. I can pay slightly more to get a larger box, the ability to send more messages per day, web hosting, and file sharing, but, honestly, the $39 a year plan more than meets my needs.

So I'd like to encourage those of you who are concerned about your privacy or who are fed up with your privacy being raped by providers like Gmail, Yahoo, and others, to take a serious look at Runbox. It's not perfect, but it's as close as we're going to get unless we're willing to host our own email.

Find their site at www.runbox.com




Monday, October 21, 2013

It's about fragmentation, not writing code!

I've been following the discussion surrounding this blog post from Canonical founder
Mark Shuttleworth all weekend.  For those who haven't read the post, it's basically a'go team' praise session for shipping 13.10 along with a healthy dose of fireback at both Ubuntu and Canonical critics. While I'm not going to get into the details of the post here, I want to address an issue I think Mark and a few people in the Ubuntu world have completely wrong.

Now, before I go into this, let me make a statement here: I love Ubuntu. I really do. I'm heavily invested in it both personally and professionally and, when I write Linux software, it's primarily targeted at Ubuntu. I want to see it to  succeed and I want it to succeed in a big way.  That said, I think part of helping the system succeed is keeping the people leading the project in check. Sometimes, when you care as passionately about something as Shuttleworth does, it becomes very easy to see everything else in a skewed 'us against them' way.

Mark seems to believe that those who criticize Ubuntu or his company are doing so because they have some personal ax to grind or that they are criticizing their code. He even likens those who oppose them as 'the open source tea party', referring to a fringe of the American right widely thought to be obstructionist.  Nothing could be further from the truth. Everyone supports Canonicals right to write code and, for the most part, almost everyone agrees that the company produces really good code. The issue most people have with Ubuntu is the same issue people have with Android: fragmentation.

With each release of Ubuntu, the project seems to be moving in its own direction, further and further from mainstream Linux. The Mir display server, the Upstart initialization system, the Unity desktop, are all great examples of this.  Over and over, we see Canonical rejecting widely adopted technologies in favor of designing something completely new.  I'm not saying new is bad, mind you. But I think Canonical's time would be better spent improving the widely accepted technology instead of falling trap to their own version of 'not invented here syndrome'. Imagine the strides the GNOME project could make if Canonical were actively contributing to the desktops development? Or systemd. Or X Window. Instead, Canonical chose to cut its own path and start from scratch.

That attitude might work in a 'let's get grandma on Ubuntu' mindset but it certainly falls down in a 'let's get grandma on Linux' one. There seems to be coming a time, and it may be soon, where there will be 'The Ubuntu Way' and 'The Linux Way' and those two might be widely divergent.  And, yes, I know all of the technologies are open source and anyone could use them. But the fact that almost nobody but Ubuntu has chosen to shows that the industry has spoken and congregated around other technologies for whatever reason. Perhaps Canonical should look around their growing island and see that it's largely populated by themselves and almost nobody else. Perhaps that should tell them something.

In the end, it's not just about code. It's about the unity of the open source world. In the face of intense competition from well funded and profitable companies like Microsoft and Apple, the last thing the community needs is fragmentation. We should be making it as easy as possible for new developers to write applications that work just about any Linux platform, not just the most popular one.

So, Mark, write code! Write good code! Nobody is going to try to take that right away from you. We're just all a little concerned that it's becoming 'Ubuntu first and we'll get to the rest of the community if we can' type of deal. You may very well be shooting yourself in the foot.


Thursday, October 17, 2013

Ubuntu 13.10 launches today. Is it the best Ubuntu Release Yet?

Every six months, Canonical releases a new version of the Ubuntu Linux operating system to hoards of waiting fans. Today, October 17th, is that day for Ubuntu 13.10
and the media and user hype around the release has risen to a near fever pitch. But with so much competition and so many things happening in the Linux world these day, does Ubuntu 13.10 warrant all of the excitement it's getting?

As most of you know, I'm not Ubuntu's biggest fan. While I use an Ubuntu derivative (Xubuntu) as my primary operating system at both work and home, I feel there's some things with Ubuntu proper that rub me the wrong way. For example, I simply can't stand Unity and I don't like the way the company has installed a shopping lens that is, essentially, spyware. But, all that aside, I was pleasantly surprised when I installed 13.10 day before yesterday to check out for myself what all the slovering from the fanboys and girls was about.

It was amazing.

13.10 is one of those rare operating systems releases that get it right. It's obvious that Canonical has put enormous amounts of work into making this release the crowning jewel of everything they've been working on for the last six months. It's fast, responsive, stable, and usable for just about anyone. With 13.10, Canonical has finally delivered what Linux has promised for years: making a distro that grandma can use without many problem.

Considering that 13.10 is the last release before the next LTS, a lot was riding on the company to get things right. If they screwed up this release, the LTS six months from now would likely have been a complete disaster. Had they done something silly, like include the Mir display server when it wasn't quite ready for prime time, both this release and the 14.04 LTS would have been garbage. Thankfully, they over promised with 13.10 but then backed that up by over delivering too.

If you're a fan of the Unity desktop, there's a lot to love in this release. Unity runs faster now than it ever has before with the lowest resource use I've ever seen. Sure, it's going to take more memory than your old GNOME or today's XFCE, but, then again, it's supposed to. The entire reason you're probably using Unity instead of one of the other desktops is because you want the glitz and bang that a nice, compositing, desktop offers, and Ubuntu 13.10 doesn't disappoint.

Another exciting thing, though easy to overlook, is the addition of Smart Scopes. Smart Scopes make finding things from the Dash a lot  easier and more intuitive. It also means that you're going to get a lot less garbage returned when you search and your searchers will, as a result, return a lot faster. Things are also categorized a lot more sensibly in this release and it looks like someone paid a lot of attention to both functionality and usefulness.

The new Mir display server isn't included in this release which was sort of disappointing and logical to me at the same time. I don't think Mir is ready for everyday desktop use yet but I really want to play around it without having to install it myself and risk breaking things. But Canonical made the right decision to hold off on the new server as there are some major performance issues that really need to be addressed before it's let loose on the world. One day very soon, possibly by the next release, Mir is going to be amazing. It's amazing now. It's just not quite ready and Canonical obviously knows that.

Lastly, the newest 3.11 kernel, just released in September, ships with this release and it brings some solid performance improvements to power consumption and memory use as well as a whole bunch of other things. Not much to review here but it's definitely worth noting.

Overall, there's very little not to like about 13.10. The only real complaint I could come up with was that the shopping lens is still on by default and, as Matt Hartley from The Linux Action Show says, default rules the world. It's a major privacy issue that Canonical has shown itself fairly unwilling to address in any meaningful way. Additionally, the results brought up through the lens are, in many cases, completely irrelevant.  The first thing most users will do when they install the new OS is to disable the lens or completely remove it (which would be my option).

Should you upgrade to 13.10? If you're sitting happy on 12.04 and don't have a compelling need for the new stuff 13.04 offers, no, you shouldn't. Wait for the LTS to come early next year and grab that. But if you're someone who wants new hotness now, 13.10 is an absolute no-brainer. Canonical has hit one out of the park with 13.10. I hope this is the start of something amazing.

Ubuntu 13.10 releases later today and can be downloaded for just about any system on the planet by going to www.ubuntu.com/desktop.


Tuesday, October 15, 2013

ADCL is now NetScale Technologies

As many of you know, I've run a small company named Advanced Data Concepts for a few years now and we've done pretty good. But, over time, I grew to like the companies name less and less to the point where I didn't feel it really fit what we did and our personality as a culture anymore. So, as of yesterday, ADCL is now NetScale Technologies!

While some people might think that changing a company name is a small thing, there's often a lot riding on such a decision. First, if you're not careful, a name change can easily spook customers who may mistakenly believe that you're changing your name because there's trouble at the company, you're going bankrupt, or some other underlying issue. Additionally, you're risking sparking a period of market confusion whereby your customers aren't sure if you've been acquired or not or if they can still trust your brand. It's a big risk but one that must be taken sometimes in order to move forward.

In addition to changing names, we're going to tighten up the business focus quite a bit. ADCL tried to be everything to everyone. We administered servers, developed software, did tech support and network consulting, and a host of other functions that, while revenue generating, wasn't really our forte. From here on, we're going to focus on what we do well: software development. That's all, nothing else. We're going to focus on desktop software development for Linux and Mac, mobile development for Android, iOS, and Blackberry (also considering Firefox OS), and web application development. That's it. Total focus.

I believe this new focus will allow us to perform better as a company and pursue some things in 2014 that we've been simmering for a few years but could never quite execute. All in all, these changes, while small, will be a very good thing.

You can visit our new site at www.netscaletech.com (it's still under VERY heavy development and looks like crap) and you can send me an email with feedback, questions, etc at anthonyp@netscaletech.com.

Saturday, September 14, 2013

SSL is Broken. Here's how to Fix it!

In the last few days, Brazilian television show Fantastico published a video with details on how the NSA has been backdooring SSL connections and intercepting supposedly secure Internet communications. They accomplish this through the use of a well known technique called 'Man in the Middle" whereby the NSA inserts itself between the computer of the person they want to compromise and the computer to which that person is connecting. By doing so, they are able to establish an SSL encrypted connection with each side thereby allowing the targeted user to believe they are securely connected to a website while giving the NSA access to every single byte that crosses the wire.

This is not an encryption break. It is a well known flaw within the system that SSL relies on called "Certificate Authorities". Generally, when a website wants to offer users a secure way to connect to them, they purchase an SSL certificate from a certificate authority. Your browser has several certificate authorities defined as 'trusted' so any site that has a certificate signed by one of these authorites will also be trusted without question.

The problem is that any certificate authority can issue a valid certificate for any site and that certificate will not be questioned by the browser. That's because your browser doesn't care which certificate authority the certificate comes from, only that it's from one that it trusts. This is the NSA's ace-in-the-hole.

Let's say you buy a certificate from Verisign. Users who connect to your website will see the little lock and know that their connections are absolutely secure from eavesdropping. What the NSA does is either compel Verisign to issue a second certificate that is controlled by the agency or goes to another authority (they might even run their own) and get a second certificate. Then, they use traditional man-in-the-middle techniques to insert themselves between the users they want to attack and your site and, because their second certificate is signed by a trusted authority, it too is also trusted. The little lock engages, everything looks fine, and the NSA can watch and read everything you say and do on that particular site.

We've long suspected that this was happening. We've long known that it was possible. In fact, police successfully used this attack a number of times in the past to gather evidence that was later used to convict someone. But everyone downplayed the severity of the problem because, well, we didn't have anything better and we didn't realize that it was such a massive threat.  The leaks from Edward J. Snowden have changed that. We now know, beyond doubt, that the NSA and probably other federal agencies are actively using this attack against targets.

There is an answer and it's pretty simple...

A few years ago, security researcher and programmer Moxie Marlinspike presented a very elegant solution to the problems we face in blindly trusting certificate authorities. It was called "Notaries" and it works almost exactly like it sounds like it would.

Under the notary system, every time your browser receives a new certificate from a website, it asks several other computers on the Internet (either random ones or ones you've pre-selected) if they see the same certificate. If you're being man-in-the-middled and presented with a fake certificate, the notaries won't see the same certificate and you'll easily be able to detect a forgery. The system can be set up so that it requires the consensus of all of the queried notaries in order to mark a certificate as valid or a majority.  That means that, even if there are a few bad actors within the system - notaries controlled by the NSA, for example, it's still possible to get a reliable answer as to if the certificate you're seeing is real or not.

Notary security comes with a price...

As you might have already noticed, there is a glitch in the system that some people probably won't like. Since you're asking other computers if the certificate they see is the same certificate you're seeing, you are allowing other computers to know the sites you visit.  There isn't a good work around for that yet in Moxie's system but, for the time being, the answer seems to be 'only use notaries you trust and untrust any that violate your privacy'.

Since seeing Moxie's presentation, I've given this a lot of thought. In the end, I'm alright with selected other sites knowing what sites I visit as long as 1) I know they can't see what I'm doing on those sites and 2) they provide me with good security.  I'm sure that, once the system comes into wide use this problem will be solved pretty quickly though and there are a number of ways to address it even now. But I'll leave that as an exercise for you.

Our idea of trust has to change now...

Out of everything the leaks from Edward Snowden have shown us, the most important thing we need to take away from them is that our idea of trust and who we trust needs to change.  It turns out that the web is built on some pretty fragile security technologies that we need to seriously reevaluate. Even if we trust the companies that provide our services, that's not enough. We also need to be able to find trustable ways of consuming those services and plain old SSL simply isn't one of them.

If you want to learn more about notaries and how they very well could be the savior of web security, check out the presentation on them that Moxie did here. If you'd like to try out the concept now and you're using Firefox, you can download the plugin from here.

Liked this post?  Why not donate some Bitcoin?

Friday, September 13, 2013

Why I Chose Ubuntu One as my Cloud Storage Provider

Cloud storage is something that's really pained me over the years.  While I see the value of backing everything up to the cloud, I also see the very serious potential pitfalls of placing my data in the hands of someone else who, under the right circumstances, might be compelled to hand that data over to a third party. So, for a number of years, I've avoided using cloud storage nearly entirely.

But recently, the realities of daily life and the need to share large files with friends and collegues brought me back to considering the cloud. Since cloud storage is hot right now, there are a lot of options and I, systematically, went about trying all of the big ones for at least a week to see which I preferred. The services I tried were Dropbox, SugarSync, SpiderOak, Ubuntu One, and Jungle Disk.  I specifically excluded services like SkyDrive since 1) Microsoft seems fairly hostile towards Linux and I am a Linux user and 2) We know, through recent disclosures from Edward Snowden, that Microsoft has gotten cozy on several occassions (and possibly on an ongoing basis) with the US National Security Agency.

After trying each of these services for a week and uploading a few gigabytes of data, the choice of which service I was going to use was exceptionally clear: Ubuntu One.  Ubuntu One didn't outperform everyone else or offer the best price on storage space but it had something that none of the others did: my trust.

Overall, I trust the company behind Ubuntu One (Cannonical) to respect my privacy. The entire company is founded on the guiding principles of Free Software and respect for users rights so I feel very comfortable putting my most sensitive data in the company's hands.  Price wasn't too bad either. After getting a special deal on six months of 20 gigs of storage and purchasing another year of an additional 20 gigs, I now have 45 gigs for a little over $35 a year. Not the cheapest out there but definitely worth the little extra for the peace of mind I get.

Now, don't get me wrong: I don't trust Ubuntu One completely.  I don't just upload everything to the service without taking precautions. While I believe that they are unlikely to be compelled to disclose my data to a government agency, I don't discount the possibility of hackers or even a nosey Cannonical employee checking out my data. For that reason, I have a special folder in my Ubuntu One directory called "Sensitive" that I store any sensitive data too.  Data that I deem as sensitive is first encrypted using PGP in another directory then moved into the Sensitive directory for uploading to Ubuntu One. The service never sees unencrypted data that I deem too personal to share even with them.

Overall, I'm very happy with my choice. I feel good because I am using a company I trust and I'm helping to support a great product financially. And, since Ubuntu One is available on Windows, Mac, and Linux,  I know that I can easily access my data no matter where I go.

So that's that. My cloud storage search is over. I'm at peace with my decision and am actively recommending it to others who are looking for cloud storage solutions and who don't want to host their own. Ubuntu One seems like the best value for the security, peace of mind, and ease of use, it offers.

If you want to check it out, click on this link. You can get a free 5GB account and start using it immediately. Right now, the service is running a great special whereby if you purchase a single track from the music store for $0.99, you get six months of free streaming to your mobile device and 20gb free!

Did you like this post? Why not donate some Bitcoin!

Wednesday, September 11, 2013

How I Pay Homage to 9/11

Twelve years ago today, the largest and most deadly attack on our nation happened when Islamic terrorists used airplanes to destroy the World Trade Center in New York. That was a horrible day, perhaps the most horrible day of my life, and I've been forever changed by, not only the events that happened that day, but what's happened to our country in the intervening twelve years.

On that horrible day, the soul of our country was changed. We became fearful, distrustful of our friends and neighbors, and willing to accept things done in our name and in the name of 'protecting' us, that we probably wouldn't have accepted only a single day before.  We've seen our country become one where it's alright to swap a little freedom for some vague idea of safety and we're just about willing to accept anything in order to be assured, something nobody can really do, that we won't be attacked again.

I believe this betrays the spirit of 9/11.  For the last decade, we've been told by our government that we were attacked 'because of our freedom' and, yet, the answer to those attacks seems to be to do exactly what the attackers supposedly want: reduce freedom. It makes no sense for a free people to become less free in response to a supposed direct attack on their freedoms. It's contridictory and confusing to think that way.

So I choose not to think that way. I choose to honor the lives of those lost on 9/11 by embracing my freedom and committing to fighting those, from both inside and outside my country, who stand in its way.  I will not gnash my teeth and rent my clothing and scream and cry about how scared I am. I will not judge or fear my neighbor because of his religion or ethnicity or the color of his skin. I will not give up my liberty just for the illusion of security.

And I hope you won't either.

The best way to pay homage to those who died in the attack is to commit to living a life so free that your very existence is an insult to those who hate freedom - no matter where they come from. It's refusing to trade that liberty for any cost and not living your life in fear. It's about living your life to its fullest and to embrace liberty with a wild abandon that would make those who died proud. To me, that is what 9/11 represents. And that is how I choose to honor it.

Did you like this post? Why not donate some Bitcoin!


Sunday, September 8, 2013

The NSA Has Not Broken Internet Encryption

In the last few days since the most recent leak by Edward Snowden, I've received countless emails from people I've convinced to use encryption forwarding me story after story about how the US National Security Agency has 'broken Internet encryption".  These articles are usually followed by comments like "See, I told you they had access to everything!" or "Why bother using encryption at all now?"

Here's why: because the NSA hasn't actually broken Internet encryption!

What the Snowden documents reveal is a pattern of coercion  by the NSA to force companies into deliberately making their encryption products weak, turning over their encryption keys, or providing backdoors into encrypted systems. None of this constitutes 'breaking' encryption anymore than if I come across an open door in your house and I walk in I'm 'breaking and entering'. It's silly sensationalism put out by a media that can barely understand what encryption actually is much less what it takes to break it.

Are all encryption technologies still safe? No. I would seriously question encryption software and hardware that doesn't disclose its source code for public review. I know companies like to yell 'trade secrets' but that's bull. Encryption isn't a trade secret and by claiming it is they are showing that 1) they don't fully understand encryption and why it's not a bad thing to publish your source code or 2) they are afraid of public review; maybe because something is there to find.

So, as these leaks continue to give us a better view of how the NSA operates in attacking the Internet, one thing becomes clear: we have passed the time when we can blindly trust technology companies and the software they create to protect us. We need more than words and promises from these companies because words are cheap. We need source code, we need peer review, we need complete transparency.

Now, I know a lot of you will say 'being open source doesn't guarantee that there aren't subtle things in the code meant to weaken it' and that's very true. But being open source means that we have a better chance to discover those holes and weaknesses than we do if we don't have the source code.  It's trivial to hide something nasty in a product that doesn't disclose its source code; it's not so easy to do so when thousands of eyes will be pouring over the code specifically looking for those 'something nasty's'.

So, no, "Internet encryption' has not been broken - not all of it at least. But it's time that we become much more choosy about the products and companies in who's hands we place our security.  We have to outright reject the notion of 'trusted companies' and only accept verifiable proof that a company's products are secure. That's the only way we'll have a fighting chance against adversaries like the NSA.

Now, go tell the New York Times to shut the hell up about things they know nothing about.

Liked this post?  Send me some Bitcoin!


Saturday, September 7, 2013

Trust is an Easy Word. Fighting the Government Shows Integrity

In todays networked world, we hear the word 'trust' a lot.  Companies like Google, AT&T, Apple, and others constantly talk about how their customers trust them and how we should trust them with the most intimate details of our lives: our contact lists, our emails, our medical records, everything. "Store it in the cloud!", they proclaim, "We can be trusted to protect your data".

But that really hasn't proven to be the case, has it?  Recent revelations from NSA whistleblower Edward Snowden have shown that these companies don't deserve our trust.  Many of the large companies who hold our most secret information have proven that they are willing to betray us as long as they are, in turn, protected from our ire.

These companies all sing a familiar song: "it's the government", they say, "We're being forced to turn over your data to them. It's not our fault!"  In many, if not most cases, this is technically true. But it's not the whole story.

When the government comes knocking on a corporations door, the leaders of that business are immediately faced with a choice: do they roll over and hand the government data their users have entrusted to them or do they fight?  We know that, in the majority of cases, these companies have simply chosen to give in and hand over the goods.

And why shouldn't they?  After all, they are protected from us  by the government! It's highly unlikely that they will ever be caught betraying their users and, even if they are, they have special arrangements with the government where they largely can't be sued. It's a sweet deal that allows the company to take the easy way out of a tough moral decision. It lets them out of the legal aspect of it, but it doesn't release them from the immorality of what they're doing.

Don't get me wrong, I understand that there are times when those companies that choose to fight will lose and have to hand over their users data. But at least they've shown that they've tried to protect you. It's easy to claim patriotism or coercion and roll over. It's another thing to stand up, dig your heels in, fight, and lose.  One is the cowardly way out. One shows integrity.

So the next time you hear a company talk about trust, ask yourself (and them) this: are they willing to stand up and fight for your rights when your data is demanded from them by a large and powerful adversary like the government?  If they aren't, then they don't deserve your trust or your business. Words are cheap. It's easy to throw around words like 'trust' and 'integrity'. It's a whole other story to actually be a company people can trust.

So far, I'm not seeing a lot of reasons to trust anyone in today's tech world. And that is perhaps the saddest part of this whole NSA scandal: learning how deeply we've been betrayed.

Did you like this post? Why not send me some Bitcoin!


Friday, September 6, 2013

It's impossible for an indie developer to make a living writing software for Linux

Less than  a year ago, I transitioned my small startup from one that primary did IT consulting to one that developed interesting software products. I'm a one man shop and I originally only developed for Windows. But, after revisiting a tool that allowed me to easily build cross-platform applications, I decided to try my hand at developing applications for the Ubuntu Linux desktop.

I chose Ubuntu for a number of reasons. Most importantly, it seems like that's the distro where all the exciting things are happening and technologies are truly being expanded.  It also is the distro with the largest number of desktop users and the greatest need for really good  consumer software. So I ported a few of the applications that were selling particularly well on Windows to Ubuntu and put them up for sale in the Software Center.

I treated this like any other part of my commercial venture: I did marketing, PR, advertising, the whole nine-yards. And, for about a few months, things went pretty well.  They went so well, in fact, that I got seduced into believing that, with the right software,  I might just be able to make a full-time living writing software for the great untapped Linux desktop market.

Then sales tanked. I don't mean they "declined" either. I mean they tanked. Within a few weeks I went from selling a pretty decent amount of software to selling one to two copies a month. Then, after another month or two, that number dropped down to zero.

I developed other software, played on novel things that I'd seen the community say 'it would be nice to have' and, once again, I saw a slight (and I mean slight) number of sales then a near total drop.

So now, while I'm still primarily a Linux user and I'll continue to develop free and open source software for Linux, I'm back to developing all of my commercial software for Windows and Mac full-time.

I realize there are a number of possible explanations as to why my software didn't sell. One might be that it simply wasn't good software. I've considered that and, while that's a possibility, I have to contend with the fact that the Windows version was selling really well.  I know the Linux and Windows crowds are very different, but there are some common themes that run between them; enough where consumer software that resonated with one should resonate at least a little bit with the other.

Another explanation might be that I wasn't producing the right kind of software for Linux. Like I said: with the two markets being so different there is a chance that what people want and are willing to pay for on one platform doesn't automatically translate to the other platform.

A third option might be that my software was not open source - a huge selling point in the Linux community.   If I had to pick one of the reasons I just mentioned as something that contributed to my non-sales, I'd likely say this was it. In fact, I got comments on Google+ telling me I was a traitor to the Linux community for not giving away my source code.

But I honestly don't think any of these reasons are the real reason my software didn't sell. I believe it's because, as a general rule, Linux users are simply not used to and very averse to spending any money on software at all.  I'm not saying Linux users are cheap (the success of packages like the Humble Bundle disproves that) but they are much more selective  at what they spend their money on than their Mac and, especially, Windows using cousins.

On the Mac and Windows platforms, users are used to paying for software. Sure, they'll look for zero cost software first but, in the end, it's not that big of a deal if they have to pull out their wallet and slap down some cash to get what they want. In the Linux world, this is most certainly not the case. Windows and Mac users are not really willing to use really hard to use or crappy software just because it's free. Linux users are. Linux users are also not averse to simply writing their own software if the itch scratches them which is not generally something Windows and Mac users can do.

All that tallies up to the fact that it's impossible at this time for an indie developer to make a living (I don't mean a few hundred bucks a month, I mean a real living where you can pay your bills and eat) by writing software for the Linux desktop. Even Ubuntu, the most popular Linux desktop in the world. Maybe one day that will change, but right now, it's just not doable.  And I'm not saying that because I couldn't make money writing Linux software, I'm saying that because nobody writing consumer software for Linux is making a living doing it.

For me, the realization of that fact was very depressing. On one hand, I know that, in order to succeed, Linux needs good, professionally designed software. On the other hand, I think it's exceptionally difficult for developers to write that type of software while relying on donations (which is what the common advice is).  Developers need to eat, they have bills, they have children and families. Passion and idealism is one thing, reality can be quite another. At the end of the day, at least in my case, I choose financial stability over idealism. I'd love to write Linux software full time. But I also really like to not go to bed hungry.

Unfortunately, at least for now, the two simply don't mix well.

Thursday, September 5, 2013

Paypal Strinks Again: $45,000 in MailPile Campaign Funds Frozen!

The MailPile project made a disturbing announcement on their blog  earlier today, announcing that, of the $135,000 they raised in a whirlwind Indigogo fundraising campaign, Paypal, the payment processor used by Indigogo, has frozen $45,000 and nobody knows when or if they plan to release it.

MailPile is an open source project with the goal of creating a secure, easy to use, webmail client that integrates things like PGP and other privacy preserving features. There's been a lot of excitement around the project since the fundraising campaign started and this could be a serious blow if it's not resolved.

As many of you know, this is not the first time Paypal has frozen an account for dubious reasons. There's a whole website dedicated to Paypal horror stories and many developers and contractors have found themselves unfortunate victims of Paypal's wishy-washy attitude about 'possible fraud'.  It seems like that's the general excuse the company uses when it wants to hold onto someone's money for an indefinite amount of time without any detailed explaination.

In the case of MailPile, though, Paypal did offer a 'resolution; of sorts: they wanted a detailed breakdown of how the MailPile team plans to use the money,

While I understand Paypal's position of trying to protect their customers, it's fairly obvious that MailPile isn't conducting fraud and they're not a threat to any Paypal customer. Why Paypal would choose to freeze their account while countless others of questionable merit go unfrozen is beyond my comprehension.

For now, the MailPile team asks that the community not take any drastic action. They certainly don't want us to cancel our donations since it seems one of the things Paypal is concerned with is chargebacks. They ask that, if you're concerned about what's going on, speak out. Write to Paypal (a cordial letter) or blog about it. Speak about it on Twitter and let people know what's going on. This is probably the best way we can help MailPile now.

I also want to encourage anyone considering donating to the MailPile campaign to do so via Bitcoin instead of Paypal. I noticed that the project had a Bitcoin address on their site and I think that's probably one of the most assured ways that they will see a direct benefit from your donation. While you likely won't get any of the perks associated with the Indiegogo campaign (or maybe you will, I don't know), it's a great way to support the project outside of Paypals grasp.

You can find their Bitcoin address on the main page of their site.

Tuesday, August 20, 2013

ANNOUNCEMENT: AnonyMail2 to be released on August 30th

As most of you probably already know, I write a program called AnonyMail. AnonyMail is a cross-platform way to send completely anonymous and untraceable email to anyone on the planet. For a long while now, I've been working on a new version that implemented more of my ideas about security and privacy and helped people protect themselves better when the communicate.

After a few months of work, I'm happy to announce that AnonyMail2 will be released on August 30th for Windows, Mac, and Linux.

After taking a look at the first few versions of the software, I decided that, in light of all of the revelations by Edward Snowden, it was time for me to step it up a bit. Transferring messages via SSL simply wasn't enough anymore. We needed more. So here's what the new AnonyMail will have:
  • Message Padding to help stop traffic analysis by anyone monitoring the data transfer as the message is being delivered to our server. This feature, as it sounds, pads the message with a random amount of noise, thereby making traffic analysis by watching both sides of the connection extremely difficult.
  • Full Encryption. The last version of AnonyMail only encrypted the connection between the user and the AnonyMail server. We now know this simply isn't enough so, starting with AnonyMail2, all messages will be encrypted using a 4096 bit PGP public key and delivered to the server via SSL.
  • Routing through Tor. This is a no-brainer. You can't be completely anonymous if we know who you are. So you can now route all your AnonyMail connections over the Tor anonymity network.
  • Message Staggering. This couples really well with message padding and encryption in helping to make traffic analysis extremely difficult. You can now tell the server to wait a random amount of time before delivering your message. This random amount of time is not known to anyone - including you.
  • Multi-Hop Delivery Routes. Taking a page from the Tor playbook, I've implemented the ability to route your messages through multiple relay servers The default is 4 but this might change as we learn more about spy capabilities and exactly how they monitor the Internet.
A lot of work and love has gone into this version of AnonyMail and I hope it's well received and useful. If you have any ideas you'd like to see implemented in the next version (yep, already planning that one) shoot me an email and let me know.

BIG PRE-RELEASE SALE ANNOOUNCEMENT

The software will release on August 30th at 12:00am. From today until then, I'm offering those who pre-purchase AnonyMail a discount. Buy it before August 30th and get it for $2.00.

You can do that here: https://gumroad.com/l/TsSC
 
IS ANONYMAIL OPEN SOURCE?

No. AnonyMail is not an open source program in the traditional sense of 'you can do anything you want with it'. You can't. I make a living from the software I write and have chosen not to make AnonyMail completely open source.

However...
  • If you buy it, you get the complete source code, including the source code of any libraries used in creating it.
  • You have the ability to compile the source I provide you into your own binary so you know that 'what you see is what you get'. 
While I'd love to make AnonyMail completely open source, for now, it's not an option. I am strongly looking at ways to do that very soon though. For now, I hope the two items above are enough for most people. Feel free to scream at me about it.

Sunday, July 21, 2013

IT pro's must join the fight between regular users and the government

We've learned a lot over the last month about the massive surveillance program run by the United States government through the NSA. We've learned, in effect, that no one is safe. Whether you're an American or not, every single piece of information you send to the Internet is captured and stored and there is absolutely nothing you can do to stop it.

As IT pro's, we're often called upon to help friends, neighbors, and collegues with their technology problems. This is one of those times. We're being called upon and I think this offers us an unprecedented opportunity to be of service and value to others.

We need to help people protect themselves from surveillance and we need to make it easy for them to do so.

As an IT professional, we are users first line of defense against things like PRISM and other data collection tools. We know how to fight it, we know about encryption, and security, and how the Internet works. Normal users don't. It's our job to teach them.

If you've got the requisite knowledge, I challenge you to get out into your community and do something. Don't just sit by when you hear people complain about the snooping, actively engage them and teach them how to fight it. Set up community training on encryption, proxy use, Tor, and other tools that help protect users. Teach them good security protocol and let them know there is an answer to the question of how to protect their privacy.

You are being called out, my fellow IT pro's. It's time you step up and join the fight. It's time you stop sitting by the sidelines with a smug smile talking about how if people wanted to protect themselves they would. It's time you do your part.

Get involved! Create a movement. DO SOMETHING!

Tuesday, July 16, 2013

How to generate a revocation certificate in GPG

It surprises me how many people use PGP and GPG without ever creating a revocation certificate. These are the same people who wreak havoc on mailing lists when they either lose their private key or forget their passphrase and can no longer use the key. I know it wreaks havoc because I've been one of those people and, trust me, it's not a fun position to be in. People get irritated and it always brings up questions when you try to submit a new key.

Generating a revocation certificate in GPG (and I assume it's a similar process for PGP proper) is fairly easy. Here is the process:

$ gpg --output revocation-certificate.asc --gen-revoke 86C30530

sec  1024D/86C30530 2006-10-23 Your Name

Create a revocation certificate for this key? (y/N) y

Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)

Your decision? 0

Enter an optional description; end it with an empty line:
>

Reason for revocation: No reason specified
(No description given)

Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Your Name "
1024-bit DSA key, ID 86C30530, created 2006-10-23

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!


It's really important that you take the warning GPG prints out at the end seriously. Protect your revocation certificate with the same care with which you protect your private key and passphrase. Anyone having your certificate can revoke your key and make it unusable.

What happens if you lose your private key or it's compromised?

If you ever need to revoke your key, for example you've lost your passphrase or your key has been compromised, simply import the revocation certificate into your keyring and send your key to your contacts and keyservers. When your contacts import your key into their keyrings, it will be revoked and become unusable. Just remember though: ANYONE with this certificate can revoke your key so keep it safe!

 

Tuesday, June 25, 2013

How to configure your system to run Xojo Web Applications


Xojo, formally Real Studio, is an amazing development tool. Not only does it allow you to easily and quickly develop professional quality, cross-platform, desktop applications but it also allows you to create stunning web applications without all the hassles involved with having to understand a whole stack of technologies like PHP, CSS, HTML5, etc.

Unfortunately, getting a server set up for deploying Xojo created web applications has been fairly challenging to some so I'm creating this guide that details the path I followed in getting my server ready. Note that this is the process I followed on Linux. Windows might be slightly different!

Also, I'm going to show you how to deploy your Xojo web apps as cgi scripts instead of the standalone version. I chose this method because I want to be able to use an SSL certificate with the application I built. Standalone apps cannot use SSL certs, only cgi based ones that are tied to Apache (or the web server of your choice; we'll use Apache).


Step 1: Have a functioning web server

It is beyond the scope of this tutorial to help you set up a functional web server. So I'm going to assume that you at least have been able to set up Apache to serve HTML content. It you need help getting to that point, see the Apache documentation for help.


Step 2: Installing and configuring FastCGI

Xojo web applications make use of a technology called FastCGI. FastCGI allows you to interface interactive programs (like the kind you write in Xojo) with a webserver. You can write these programs in a variety of languages like Xojo, C#, C++,  Java, Perl, and even PHP. FastCGI just allows them to interact with the web server and provides a performance boost.

FastCGI does not come installed or configured with the standard Apache installation. So let's do that now. It's pretty simple:

1. Let's install the requirements. Note that I am using CentOS and the Yum package manager. If you are not using Yum, it should be fairly trivial to translate this command to whatever package manager your distro uses:


# yum install httpd-devel apr apr-devel libtool

2.  Next, we need to download the mod_fastcgi source code.  Again, pretty straightforward and simple. It assumes you have the wget program on your computer. Most Linux distros come with wget installed.

# cd /opt
# wget http://www.fastcgi.com/dist/mod_fastcgi-current.tar.gz


3.  Since the package came in as a tar archive, we next need to untar it using the tar command.

# tar -xvzf mod_fastcgi-current.tar.gz

4.  Now, we need to install the module.  When I wrote this tutorial, the latest version of mod_fastcgi as 2.4.6. Make sure that you substitute whatever version number the version your mod_fastcgi package is below.

# cd mod_fastcgi-2.4.6
# cp Makefile.AP2 Makefile
# make top_dir=/usr/lib/httpd
# make install top_dir=/usr/lib/httpd


5. Next, we need to tell Apache to load the module so that we can use it. To do this, you'll need to edit the /etc/httpd/conf/httpd.conf file in your favorite text editor.

Look for the section of the configuration file with a lot of LoadModule directives and append this line to the end of those entries:

LoadModule fastcgi_module modules/mod_fastcgi.so

That's all you need to do to the configuration file. No need to use 'AddHandler' or anything else.

6. Now, restart Apache

# /etc/inid.d/httpd restart

Note: some Linux systems no longer user init.d to manage services starting and stopping. If the above command doesn't work, find out what service management system your distro uses and use that.

7.  Now, let's validate that the module is installed and loaded:

# grep -i "FastCGI" /var/log/httpd/error_log 

If everything went right, you should see something like:

[Tues Jun 25 15:18:32 2013] [notice] FastCGI: process manager initialized (pid 8853)

If everything has gone right, we have our Apache properly configured and ready to serve up our Xojo apps. All we need to do are upload them to the right place and change a few permissions.

Step 3. Uploading your Xojo App

Uploading your Xojo app is just like uploading just about any other file. When you compile your app, Xojo creates several files and folders. You will need to upload all of those files and folders to your server.

Using the default Apache configuration, you should upload all of your Xojo web apps to the /var/www/cgi-bin directory. You can create subdirectories of that directory to contain each of your apps or you can change the Apache config to server your cgi scripts from anywhere. But, for this tutorial, we'll assume a default installation.

Step 4. Setting Permissions

In order for Xojo apps to run properly, you will need to set permissions on several files. You can usually do this through your FTP program. If you can't, or if you want to do it by hand, you can type the following commands:

# chmod 755 appname.cgi
# chmod 755 appname
# chmod 755 appname.config

Your app should now be ready to run and can be called from the browser like any other web app:

http://hostname/cgi-bin/appname.cgi
 
Final Thoughts

This guide is by no means the be all and end all of configuration guides for running Xojo apps. It's only what I did to get Xojo web apps running on my server.  If you have trouble getting things running using this guide, feel free to email me at anthony@cajuntechie.org or ask questions on the Xojo Mailing List. You'll find some amazingly helpful people there who can answer just about any question you have.

Did you like this post? Why not send me some Bitcoin!



Sunday, June 23, 2013

The Government, The Media, and the Big Diversion of 2013

Why are we so obsessed with Edward Snowden?  It's been almost three weeks since the NSA employee turned whistleblower leaked information about a secret program within the NSA to spy on Americans and the media is still dissecting his personal life and toilet habits.  It seems everywhere I go: Twitter, Facebook, Google+, magazines, newspapers, all I see are headlines like "Five things you need to know about Edward Snowden", followed by long, meaningless data about a man who, in the grand scheme of things, doesn't really matter.

Sure, what Snowden exposed matters. The personal risks he took and continue to take matter. But neither of those matter as much as the information he exposed. Snowden showed us, beyond doubt, that the US government does not care about Constitutional rights, privacy, or the rule of law. Snowden showed us that trusted companies are not just being complicit in the government violating the privacy of Americans but actively helping them do it.

This is a time when our blood should boil.  Every American should be out in the streets protesting the wholesale, rubber-stamped, violation of our Constitutional rights by an out of control government. We should be meeting together to plan political strategy and discuss how we're going to punish Obama and every single traitor in Congress who supports these programs. We should be actively getting ready to make sure every member of Congress who voted for the program or has openly voiced support never works in government again..

But, instead, we're learning about Snowden's pretty girlfriend with a broken heart and 'crazy eyes'.

Yeah, that matters. It matters because the media has told us it matters. The media has told us to focus on anything but the actual information Snowden released. "Don't look behind the curtain!", we're told, and, just like the obedient sheep we've become, we quietly sit down and do as we're told. We're great at being diverted. The media plays us like a cheap fiddle bought at an "Everything's a Buck" store and we lap it all up.

We should be ashamed. We should be disgusted, not only with our scumbag politicians, but with ourselves as well. How can we call ourselves "Americans" and say that we support the ideal of freedom when our own government is turning the whole world into one big episode of EdTV? Every one of us who hasn't spoken out, who's gotten endlessly trapped in the salaciousness of the Snowden affair should be disgusted.

In the end, and I think Snowden would agree with me, his life doesn't matter. The legality or morality of his actions don't matter. Certainly, what color panties his girlfriend chose to wear today doesn't matter. The only thing that matters is that we have been betrayed by those we elected to serve us.

And that should make us mad as hell.

Monday, June 17, 2013

How the NSA PRISM Program Works

On June 6th, 2013 and in the days following, a series of leaks about a secret program run by the US National Security Agency were published by The Guardian newspaper.  These leaks detailed a program in which the NSA was tapping the data, emails, voice conversations, and other Internet activities of millions of innocent American citizens without a warrant and claimed to have 'direct access' to the servers of six major Internet companies: Google, Yahoo, Microsoft, Skype, PalTalk, and Apple.

The companies involved immediately rushed to deny the claims. All involved seemed to assert two thing 1) That they only complied with 'lawful requests' made by the government for user data and 2) that the government did not have 'direct access' to their servers.  Some, like Google, claimed the very first time they ever heard the term PRISM was in that days newspaper reporting.

Of course, these companies might just be lying. Certainly any kind of order for such access would also be accompanied by a companion order that would prevent the companies from talking about the program or their involvement in it. But I think it's something deeper and perhaps more sinister than that. I think that both the government and the companies involved are being honest and I'd like to discuss how I believe that is in this blog post (or website, if you're coming to it through www.hownsaprismworks.com).

Going Back to the Beginning: Mark Klein, 2006

In May 2006, AT&T technician Mark Klein blew the whistle on a secret collaboration between his employer and the National Security Agency. According to Kleins sworn testimony, the agency set up a special room at AT&T where they were able to tap a large amount of American Internet traffic as it flowed through the AT&T wires. While most of this data was intended for or sent by AT&T customers, because the company carries a large amount of data from other carriers, it is widely believed that much of the traffic captured had nothing to do with AT&T or their customers. The equipment in the secret room simply scooped up everything that came through it and a lot of that 'everything' was domestic Internet traffic that did not come from foreign countries and was not going to foreign countries.

According to Klein, the system worked by installing a fiber optic 'splitter' on the AT&T network. All traffic that came into the location was 'copied' by the splitter and a copy of it was sent to the secret NSA room for recording while the other copy was routed over the network as usual.

Fiber optic cables carry their data in light form. That means that what goes over these cables isn't sound or regular electrical pulses but light. The splitter installed on the network divided that light into two copies and, thus, we have the program name: PRISM.

It is particularly interesting that all of the companies involved used some pretty precise wording while refuting the NSA claims on how they monitored millions of Americans. In each case, the companies specifically denied that the government had 'direct access' to their servers. I believe this language is important because I believe this is the key to how we were all monitored.

How the internet shuffles data from place to place

The key to this scandal isn't 'servers' like everyone reported. Servers are the physical location where data is stored. This is where the data lives. If for nothing more than security reasons, it is highly unlikely that major Internet companies like Google and Microsoft would give anyone direct access to their servers. The key instead is another part of the foundation of the Internet called routers.

Routers are single purpose machines that connect to a network with the sole purpose of moving data from one place to another. You may be familiar with routers in that many of us have them in our home. They are the small, plastic, boxes that provide wireless access or allow us to share our Internet connection with several computers.

Large networks like the ones run by the companies listed by the NSA program also use routers. The routers they use are capable of routing enormous amounts of data into and out of their networks and pushing that data closer towards its destination.

When a 'packet', a small piece of data representing an email, IM, voice chat, etc, leaves a computer, it is sent through whatever the closest router to that computer is. This packet contains some identifying data including the source address (where that packet came from) and the destination address (where that packet is going to). The initial router will take that packet and 'forward' it to another router that is closer to the destination which will in turn forward it to yet another router still closer. This forwarding process continues until the packet reaches its final destination. This means that a packet may go through hundreds of routers before reaching its destination, any of which could make a copy of that packet before forwarding it on.

As a packet gets closer to its destination, the routers it is forwarded through tend to become more and more concentrated. That is, the closer a router is to a specific location, the more likely that the majority of the traffic that router carries is for that location. So routers that are closest to Google will often carry mostly traffic for or from Google while routers closer to Microsoft will usually carry mostly traffic for or from Microsoft.

At some point, there is one final hop in the packet transfer process: the point where the last router in the chain directly connects to a network (say, Google) and transfers data to and from that network.  I believe this final hop, or the ones directly before it, are the key to how both the government and the comnpanies could both be telling the truth about PRISM.

What likely happened.

Most likely, the government did not go to each of these companies and compel their participation in the program. They didn't have to. All they had to do was to install a tap immediately upstream of each target company and capture any data going in or coming out of their network. This would not require the companies tapped to participate or even know that such surveillance was going on. In fact, they likely didn't know and didn't comply.

The best part, for the government, is that having deals with these 'upstream' companies instead of individual companies like Google or Microsoft, allows a much wider and comprehensive surveillance net to be thrown. The providers who provide connectivity to Google, for example, likely also provide connectivity to hundreds or thousands of other companies. Going to Google would allow the NSA to tap Google. Going to an upstream provider would allow them to tap anyone who they provided connectivity to without the need to approach and compel each company. It's a beautiful solution.

What about SSL? 

When you connect to your Gmail account, your bank, and countless other services, you usually do so through an encrypted connection between your computer and the remote machine. So if you check your Gmail, anyone attempting to monitor the connection between you and Gmail would see nothing but garbage because the connection is encrypted. Capturing that information would be useless because it's practically impossible to decrypt even for the NSA.

Unfortunately, that usually isn't the end of your data's journey. Let's use Gmail for example:

  • Your computer establishes an encrypted connection to Gmail in order to compose and send an email. Nobody along the line can read what you're typing or the contents of your email.
  • You compose your email and click 'send'. Gmail will then reach out and send your email to the other persons mail provider. This is likely done without encryption. Most mail transfer between providers is done unencrypted in plain text.
See the problem here? Because the tap is installed on the routers and networks providing connectivity to Google, they are able to capture everything sent out of the Google network. That means that they can capture your email as it's being delivered to the remote service or as a remote email is being delivered to your Gmail.  Again, remember, Google does not have to be complicit in this spying nor do they have to even know about it (and they likely didn't).

That's how I believe the PRISM program works. It's deceptively simple and allows the government to work with a much smaller amount of companies to capture vast amounts of Internet traffic from multiple companies. It also allows the companies they're spying on to truthfully say they didn't participate because,. well, they didn't.  While these companies certainly knew this kind of capture was possible, I doubt any of them knew for certain that it was actually going on.

How can I stop my data from being captured?

It is impossible to prevent our data from being captured by PRISM or any similar programs the government might be running. They have tapped the foundations of the Internet and, thus, can likely capture the data of anyone they'd like to. The question then isn't how we can stop our data from being captured but how we can make it useless when it is captured.

The answer is quite simple: encryption. Email should always be encrypted, files that are stored on cloud providers should be encrypted before leaving your computer, and voice and IM conversations should be encrypted either using Off the Record Messaging or ZRTP.  Remember, these technologies would not stop your data from being captured, but it will make your data useless when it is captured.

In some cases it may be impossible to encrypt your data. For example, what happens when you must send email to someone who doesn't use encryption or you have a chat session with someone who doesn't use OTR? In those cases you really only have two choices: don't do it or do it and accept that your data will likely be captured and stored. It's as black and white as that.

What about hosting my own email, file storage, etc?

In all cases, hosting your own data is preferable to sending it to someone else else for hosting. It's trivial to set up something like SpiderOak instead of Dropbox or your own XMPP server instead of Google Talk or Yahoo Messenger.  But hosting your own data isn't a magic bullet and won't always save you from data capture.


As long as data stays on your local network (in your house), it's likely not being tapped. But the moment it leaves your network it's subject to interception. As we discussed above, there are multiple places that data can be captured and you should consider any data that leaves your network as up for grabs.

The main benefit of hosting your own data is 'where the court order goes'. If you host data with a provider like Google or Microsoft or anyone else, those companies are subject to a knock on their doors by someone with a court order demanding your data. That court order will likely come with a gag order that prevents the company from even telling you that knock and demand happened. You're defenseless.

If you host your own data, that knock and court order will come to you. You will know if they demand a copy of your data and you will be able to contact a lawyer and defend yourself. They can't hide behind secret court orders.

Summary

The above is a description of how I believe the PRISM data collection works. As you can see, it's comprehensive, Orweillan, and very hard to evade. In the end, it's going to take a combination of social, political, and technical manevures to defeat it and it's going to be an enormously difficult task.

The US Intelligence community is constantly demanding more access into our lives. The NSA, for example, has built a massive data center in Bluffdale, Utah that is capable of storing all of the worlds communications for 100 years.  When you're up against that sort of technology, it's very hard to fight against it and win. But I believe it is possible. We just have to use the right tools.

Lastly, I think it's important that we cut through the crap we're being told about how if we have nothing to hide then we have nothing to fear. The fact is that the things we do today may be illegal or suspicious tomorrow. When everything we do and say is captured and stored, it allows them to go back later, as the law or social and political climate changes, and retroactively define who 'has something to hide'. We might not have something to hide today, but who knows how our perfectly legal and just actions might be perceived in the future?

Additionally, think about this: we all go to the bathroom. We're not ashamed of it, there's nothing wrong with it, and it's not even socially improper. If someone announces to a table "I'm going to the bathroom" it's likely no secret what they are going to do in there. Why, then, do we demand privacy when we go to the toilet?

The fact is that we have a right to control our privacy. A society cannot be truly free unless each individual gets to decide what private information will be shared with whom. That decision never falls to the government or a corporation, or another individual.

Liberty without privacy isn't liberty. It's borrowing time until someone uses your private thoughts and actions to deprive you of liberty. That is not a society I want to live in and I suspect you don't want to either. That's why it falls to each of us to stand against these programs even if we have nothing to hide. It's a matter of principle. More importantly, it's a matter of freedom

How to Contact Me

Interested in discussing this article with me or have questions? Email me at anthony@cajuntechie.org.