Saturday, February 22, 2014

OpenSSH: the Swiss Army Knife of Network Tools

Like many people involved in tech, I've used the SSH tool a lot over the years.  But I've mostly just used it in the 'plain vanilla' way to securely log in to remote machines. Today, I decided to dig deeper into OpenSSH (the standard SSH program for Linux/UNIX) and I was completely blown away!

OpenSSH is amazing. It's the Swiss Army Knife of network tools. Using this simple little program you can:



  • connect securely to a remote machine using an encrypted connection
  • create a VPN like service without all the fuss of OpenVPN
  • access your UNIX/Linux programs from your Windows and Mac machines
  • get around port blocks that your ISP enforces (think: port 25)
In my post today, I'm going to discuss the four points above and show you how simple doing those things really is. I think that, when we're done, you'll likely be chomping at the bit to get OpenSSH setup and running on your systems if it isn't already.

The 'blah' stuff: connecting to a remote machine using OpenSSH

This is probably the way most of us have used OpenSSH in the past. We've got a remote server at work, home, or a VPS and we want   to connect to it and manage it securely. Doing that is incredibly simple:

ssh username@hostname.com

That's all it takes and you'll be presented with a login prompt (or asked for your SSH key passphrase, depending on how you've set things up). From then on, everything you do over that connection will be encrypted and completely safe from prying eyes.

I want my own personal VPN but OpenVPN is too hard to set up!

No problem, OpenSSH can give you VPN-like functionality without all the fuss that OpenVPN entails. I've set up OpenVPN in the past and it's not a fun task. And it's a complete waste of time if all you want to do is browse the web and check email without your ISP or anyone else knowing what you're doing.  OpenSSH makes it easy using the -D option:

First, establish a secure connection with the remote SSH server using the -D command line option. You will pass only one additional thing: the local port you want your proxy listening on. This is the port you will tell your local applications to connect to in order to route traffic through your remote system:

ssh -D local_port_to_listen_on remote_username@remote_hostname.com

As before, you will either be presented with a prompt asking for your password for the remote machine or your passphrase to your SSH key. Provide this and you will be logged into the remote machine as normal. But here's the cool thing: OpenSSH is now listening on a port on your LOCAL machine too, ready for you to route traffic through that port. When you do, it will send it over the encrypted connection to the remote machine, where it will exit onto the Internet. ANY application that can use SOCK5 can route its traffic this way. This includes Firefox, Thunderbird, most IRC program, and most other major internet programs.


Anyone watching your connection will see you emerge from the remote machine and not your local one. Also, your ISP will have no idea what you are doing. Take that AT&T!






Wednesday, February 19, 2014

Why Mozilla putting ads in Firefox isn't such a bad thing after all

The Mozilla Foundation announced a few weeks ago that it would begin including sponsored content in some of the tiles of its popular Firefox web browser. This, of course, immediately brought out the pitch-fork bearing zealots who insists that Mozilla is compromising the soul of Firefox and starting down some slippery slope that nobody seems to be able to define. While I'm not excessively happy about Mozilla's decision, I'm a lot more comfortable with it after reading the Chair of the Mozilla Foundation, Mitchell Baker, explanation of  their plans.

What are those evil plans, you ask? Well, not so evil, it turns out. Basically, Mozilla plans to hand pick sponsors to advertise in one or two of the six tiles on the new tabs you open. The ads won't have tracking and the tiles can be completely turned off if you want to. Mozilla isn't going to share any information about you or your browsing habits with their advertisers either so the ads are completely benign.

Some people have been surprised by my support of Mozilla's plans and, to be honest, I was a bit torn when I first read about it. But I believe Mozilla has earned our trust over the years. They've walked the walk and talked the talk. They've defended openness, they've defended user rights, and they've been one of the free Internet's strongest advocates. I see no reason not to trust them with this.

We should also consider that the relationship between Mozilla and Google will be ending soon which will take a significant amount of revenue from Mozilla's budget. That money has to be made up in order for the foundation to continue to function and this seems like the most logical way to do it. In fact, it might bring in more money to the foundation than the Google deal did allowing Mozilla to do even greater and better things.

All-in-all, I'm having a lot of trouble finding a reason to worry about this. I don't believe Mozilla has suddenly become evil or is selling users out. And if they ever do, someone will fork the browser and carry on where Mozilla left of. That's the beauty of open source.

Relax.



Monday, February 17, 2014

The Sad State of the Ubuntu Community

The Ubuntu project has always been about community. Since the beginning, Canonical has tried to create a strong, vibrant, healthy, community around Ubuntu and the Ubuntu local teams (called "LoCo's") were a great way to do that. The idea was that support should be localized. There should be someone physically near you that you can turn to when you have a question or problem you need resolved. Sure, mailing lists, forums, and IRC, are great, but they don't come close to having someone right there with you.

Unfortunately, according to a recent LoCo Census, the local teams are in horrible shape. Some of the ones the census polled didn't even respond to their request while others did but are barely functional. My own LoCo in Oklahoma hasn't seen a mailing list post in almost a full year.

It's a horrible state and it's only getting worse.

We could sit and ask ourselves "what happened" as I'm sure Canonical is doing while they seek new ways to revitalize the community. But I think a better and much more relevant questions "what can we do to fix it"?  With the debacle around Windows 8, now seems to be the perfect time for Ubuntu to show a strong presence in local communities. I believe this is especially true in smaller, rural, and poor, communities, where modern computers and software are needed but the costs associate with moving from the soon-to-be-executed Windows XP to Windows 7 or Windows 8 are simply too prohibitive. Those people are the perfect market for Ubuntu and its derritivites and the LoCo's should be the tip of the spear of any effort to reach out to them.

So how can we fix it? I don't have the answers. But I think we seriously need to begin having some open and frank discussions with our community members. We need to find why they stopped caring, where did their passion go, and how can we re-excite them about getting Ubuntu into the hands of their local community again. Maybe the answer is financial incentives from Canonical for good performing LoCo's, maybe it's swag, or something else. Whatever it is, we need to find it, implement it, and push hard to get things moving again.

We still love Ubuntu. We still believe it's the absolute best choice for users coming from the Windows or Mac worlds and it's dead simple for even the newest computer users. But we have to get people on the ground who are willing to get their hands dirty, get active, and push us forward.

What do you think the answer is? Ideas?




Sunday, February 16, 2014

Ubuntu and Mark Shuttleworth: Setting an Open Source Example

You wouldn't think an initialization system would cause a war.  But, for over a year, the debate between the systemd init system and Ubuntu's upstart system has been dividing the Linux community, spawning hundreds of posts on blogs and social media, and fanning the flames of a good old open source war.  At times, it got brutal, with some resorting to name calling and trash talking.  People were invested, often heavily, in one camp or another and there were numerous, solid, technical reasons to adopt either system.

In the end, it came down to a decision by the Debian project. When they announced that they were going to use systemd instead of upstart in the next release of the operating system, it solidified the fact that upstart had, as valiantly as it had fought, lost the war for mind-share and support. systemd would be the init system of the realm and anyone using upstart would ultimately be the odd man out.

With so much passion flowing on both sides, you would think that the decision would have been met with some hostility by those who support upstart. These are people who'd devoted years of their lives to designing a powerful system that how seemed to be being simply tossed away. And, in the open source world, an all-out bloodbath might have even been expected. But that's not how it went down and I'm glad it isn't.

In the end, Canonical founder Mark Shuttleworth posted a very gracious article discussing the issue and, while praising the efforts of those involved in the upstart project, conceded defeat.  The post was titled 'Losing Graciously' and it was exactly that: someone who'd poured money, time, effort, and man hours, into a project that just didn't work out. It was a great show of class and what is possible within the community when people can step out of their personal camps and focus on what's best for the community.

Some have said that the creation and death of upstart showed that Canonical wasted a lot of time. I don't believe that. I believe systemd is a better system because of upstart. It forced the developers to up their game because they were up against developers who were hell-bent on creating an even more powerful and awesome system. Sure, systemd is a great system but I think it's better because upstart offered it a serious challenge just when it needed it.  So I think instead of seeing upstart as a waste of time, we should honestly view it as yet another contribution that Canonical and the Ubuntu project have made to the community. Thank you, Canonical.

Winning isn't always everything. Sometimes, losing is a contribution in itself.


Thursday, February 6, 2014

AnonyMail 2.0.33 Coming!

Since the last release of AnonyMail, I've been fortunate enough to receive a lot of feedback from users expressing concerns, filing bug reports, and putting in feature requests. I've been listening to everyone, squashing bugs, and picking the best features requests for the next version of AnonyMail, 2.0.33. I'm happy to say that we're at the cusp of a new release and I think you're all going to like it!

The new version of AnonyMail features better Tor support, no Python requirement (I use the cURL library to route message through Tor now), an improved user interface, a feedback mechanism, better stability on Windows, and improved message padding and delivery.

We should see a release within a day for Windows and Linux and it should in the Ubuntu Software Center soon after.

What is AnonyMail?

Some people have asked me what AnonyMail is and why they should use it. Let me explain:

There are times when you might need to send a completely anonymous piece of email. There are few ways to do this: 1) you could set up a fake webmail account somewhere or 2) you can use an anonymous remailer to send mail completely anonymous.

There are a few problems with each of those option:

  1. Using  a fake webmail address may protect you from the recipient knowing who you are but the webmail provider still knows. To remedy this, you could use something like Tor Browser Bundle to connect to the web mail provider but more and more of them are completely blocking connections from the Tor network making it nearly impossible to use the software to hide your identity.

  2. Anonymous remailers, while absolutely rock solid on anonymity, are hard to use. You have to have an intimate knowledge of cryptography, set up PGP. generate a key pair,  obtain the public keys for the remailers you intend to use, and then properly encrypt a message so that it will be delivered. Whew! I got winded just typing all of that!
Neither of the two above options are very easy to use, reliable, or user-friendly. That's where AnonyMail comes in. AnonyMail is like an anonymous remailer only easier to use. Because you can route AnonyMail connections through Tor, you can be completely anonymous even to us so there is no chain that someone seeking to uncover your true identity could follow.  This makes AnonyMail particularly well-suited for whistleblowers, secret crushes, anyone else needing high anonymity but ease of use.

Why isn't AnonyMail Open Source/Free Software? How can I TRUST you!?!

Whenever you're using security software, especially to express unpopular, controversial, or sometimes illegal speech, it's important that you're able to trust that the software isn't selling you out without you knowing it. As such, the recommended security advice is usually 'don't use closed source software' and I completely agree with that.. That said, AnonyMail is closed source software.

Because I'm a commercial developer and make my living off of software like AnonyMail, I can't take the gamble on donations that many open source developers have. I have to put food on my table, pay the bills, and still have a little money for beer (or Dr. Pepper, in my case) when I'm done. So I've come up with what I believe is a fair compromise that allows users to be able to trust AnonyMail while allowing me to keep it closed source.

I give you the source code.

Whenever you purchase AnonyMail, you get both the binary (precompiled version that you can install on your computer) and the source code which you can review and/or compile yourself. This means that, if you don't trust me, you can take the source code and create your very own installation of AnonyMail with the confidence that I've not slipped anything nasty in there.

So how do I protect my income while giving away the source code? Simple: AnonyMail is not open source or free software. You don't get the right to share it with your friends, rebrand it and create a competing project, or do anything else you can do with open source and free software. You get the right to review the source and compile a copy for yourself. That's it.

Personally, despite the howling objections of many people in the open source community, I find this a nice balance between security and revenue generation.  

AnonyMail is available for Windows, Linux, and (soon) Mac.

I'm always working to make AnonyMail better so please feel free to shoot me an email with your ideas and suggestion. You can even use the new version of AnonyMail to do it so you can do so totally anonymously.  Every new version of AnonyMail includes fixes and improvements that come directly from users just like you so don't be shy to email and share your thoughts!