The Privacy Badger: The Honey Badger of Your Internet Privacy

I have always been really into privacy and tired my hardest to keep my online life private. I think that’s why I was so fascinated with cryptocurrencies. I love the idea of having a currency that is completely private. So today I want to talk about one of the browser plugins that I am using that help to ensure my privacy online.  I’m planning on doing a few posts about online privacy, but I want to keep them kind of short and easily digestible. I should note that this plugin doesn’t completely secure one’s internet privacy, but it does work really well and is a quick win when it comes to protecting my privacy.

The Privacy Badger

The Privacy Badger

The privacy badger is a pretty awesome app that was built to block 3rd party tracking applications that advertisement blockers fail to stop. If you didn’t know it there are a ton of 3rd party applications that website owners can use to track their visitors. There are also may tracking scripts that are used by advertisers to track you across websites and show what you’ve been looking at. Have you ever wondered why when you go shopping at say Amazon and then go to another site there are all of a sudden advertisements for the exact thing you were looking at on Amazon? This is because many major sites utilize these so they can sell you products.

Many people may ask, “well what if they track what I’ve been shopping for. So what?”. I think for the non-privacy conscience people it’s hard to understand why this type of tracking is a bad thing. But think of it in a slightly different light. If you share a computer with a spouse or significant other and you are shopping for a present for them.

What if all of a sudden they start seeing advertisements for that very product. It might spoil the surprise. For those who are like me, a little more paranoid than the average human, you might also be thinking how could this type of tracking be used against me. I look at this type of tracking as a form of surveillance. You wouldn’t want someone sitting outside your house or apartment and looking in your windows all the time, would you? In cases like that, you can just close the blinds or call the police. However, in the terms of online tracking, there is no way to prevent these 3rd party tracking apps from seeing everything you look at and keeping a profile on you.

How Does it Work?

Well, the privacy badger works by searching through the code of every page you load to determine if there are 3rd party scripts that are calling out to a URL other than the one you are visiting. It then starts to look for patterns. It looks for the same source tracking you across different websites and determines if they are adhering to the “Do Not Track” flags. If they don’t then Privacy Badger tells your browser not to load content from that source anymore.

Now, this does have a tendency to break things so privacy badger does have a method to allow 3rd party scripts from loading. By clicking on the privacy badger icon in your browser you can see all the tracking URLs and re-allow them by clicking on the slider. By sliding the script to green you are telling privacy badger it’s alright to run this script. Alternatively, you can move the slider to yellow which allows the script to run but does not allow the script to write any cookies to your browser. It’s kind of like a happy medium for many scripts.

The EFF

The Privacy Badger is developed by The Electronic Frontier Foundation (EFF), a non-profit organization that “[defends] digital privacy, free speech, and innovation” (taken from their website www.eff.org). Full disclosure, I am a supporter of the EFF and I donate to them every year because I love their mission and their values. If you care about your privacy and want to get involved, I think the EFF is a great place to start.

Install the Privacy Badger

You can install the privacy badger today and let it start protecting you from 3rd party tracking applications. Click the links below to open the Privacy Badger installation in your browser.

Chrome
Opera
Firefox

Cross Posted on the STEEM blockchain here.

Crypto Mining Saga Part 2: New Miner, New Pool

So about a week ago I decided I wanted to chronicle my adventure around crypto mining. From building my first cloud mining rig to actually building a physical mining rig. So while I talked last week about using my Cloud at Cost developer cloud system resources as a source of free mining, this week I wanted to talk about changing up my pool choice.

Issues With Minergate

I had been going with Minergate as my mining pool because it was easy to get started and I liked the ability to mine multiple currencies.  I had started by mining Monero (XMR) and Fantomcoin because with Minergate you can dual mine those two currencies on a basic CPU.  Now, like I said in my last post, I never expected to get rich off of this.  I am doing it more to learn about how mining works.  I had made about .0005 XMR which is really nothing at all.  Since then I had done some research and read a lot about different mining pools and there were a lot of complaints about Minergate and how their hashrate may not be accurate and there was a possibility of them skimming.  So I decided to research some other mining pools to see what else was out there.  I stumbled upon moneropools.com which is a pretty awesome website that details many of the public mining pools out there.

After looking at all of them I finally landed on supportxmr.com because it had the lowest fees and a 0.3 XMR payout limit.  The other thing I really liked about the service is that I didn’t have to register with them.  I just had to provide a Monero public address to pay out to when I reach the threshold.  So I got myself a Monero wallet and set out to mine.

XMRpool Dashboard
xmrpool.com Dashboard

New Mining Software

Now the problem I had, was that I was using Minergate because of the ease of it.  They had a pre-compiled .deb file of their miner and that was really easy.  But I now had to go out and find a different mining application. In searching for that I came across XMR-stak-CPU which is an application that is specifically compiled for mining the CryptoNight algorithm which is what Monero uses to secure its blockchain.  The thing I found interesting is that the XMR-stak-CPU application is specifically designed to use the AES hardware acceleration that is present on some CPUs.  So I figured I’d give it a try and see if I can get a better hash rate out of it.

The issue was this application had to be compiled.  Now I consider myself a fairly strong Linux user.  But when it comes to compiling code from scratch, I have the absolute worst luck.  I typically shy away from applications that are not pre-compiled or part of an APT repository.  So I did some more research and found another GitHub project that was providing a modified version of xmr-stak-cpu that was precompiled called XMRig.  So I figured I’d give it a shot, and after taking a look at the config.json file it seemed pretty straightforward.  I added my pool information and it was as simple as running the command ./xmrig.  I was up and running and mining at my new pool.

XMRig Config.json
XMRig Config.json

Final Thoughts on New Pool and New Miner

So after about a week of mining, I am really liking the new pool.  I feel like I’m generating a lot more XMR at supportxmr.com verses at Minergate.  After about 2 or 3 weeks of mining at Minergate I’ve only generated about .005 XMR but this new pool I’ve generated double that in less time.  I really think that’s because they have smaller fees and because there are fewer miners active on the pool the reward per miner is greater when the pool adds a block.  Again, I know what most people would say, this is basically a waste of time because there is no way that I will make any real money off this.  But this is just the beginning of my mining journey, I realize that right now I’m not going to make any money, but I’m already thinking about building a mining rig of my own so I consider this just the cost of learning.

I want to hear from others out there, what are you mining and why did you choose that coin? Also, any feedback on my posts and mining journey would be greatly appreciated.

This blog has been cross-posted on STEEMIT here.

Crypto Mining Saga Part 1: Cloud Mining Experiment

So I’ve recently been really fascinated with cryptocurrencies and have gotten myself back into reading about mining.  I first started looking at mining and cryptocurrencies in college a few years ago and I attempted to mine some Litecoin back then.  However, I never have had a gaming rig with a beefy enough processor to mine anything of value so I usually quit after about a week and only making $0.02.

Back then it was easy to write that off, I was living in the dorms at college and I didn’t have to pay for electricity.  Now that I’m an “Adult” and I have bills and what not, the concept of mining on a big rig becomes a little harder to swallow.  However, I really wanted to play around with it for fun and to give back what little I can to the community by attempting to validate some transactions.

Note: I know that the method of mining I’m going to describe here is not profitable.  I’m not expecting to make money off of this endeavor, I just want to learn as much as I can by doing and hope I don’t lose too much in electricity costs in the process.

Mining in the cloud

Cloud At Cost

 

 

So a few years ago I signed up for a cloud service called Cloud at Cost (https://www.cloudatcost.com).  Cloud at cost offers a low cost, one-time fee virtualization platform.  I essentially bought virtual CPUs, Memory and SSD space from them and I can allocate that to any number of VMs I choose.  I bought this service because in my day job I do a lot of software testing so I figured this would be a good service to have so I could quickly and easily spin up a publicly facing server to try out new software.

I paid my one time fee for 12 vCPUs, 12 GB of RAM and 120 GB of SSD space.  Back then I think I spent about $120 on it.  So for me, this was a sunk cost, I had paid for it years ago and haven’t been using it as much as I should have been.  However, when I started looking into mining I thought this would be a good place to get some “free” CPU power to mine something.

Building my first cloud mining rig

When I first started doing my research I was looking for something easy to get started.  Everything I read said that minergate was the easiest way to get started.  So that’s what I did, I went out to my Cloud at Cost portal and started up a 2 vCPU 2GB RAM and 20GB SSD Ubuntu 14.04.  I never thought that I’d get a high hash rate out of these VMs but I wanted to see if I can find the sweet spot and squeeze the best hash rate out of these resources I have.  Now minergate has a wonderful command line version of their mining software (https://minergate.com/downloads/console).  Once I got the VM up and running, getting the miner was as simple as running the following few commands:

wget https://minergate.com/download/deb-cli

chmod 777 deb-cli

dpkg -i deb-cli

With those commands I now had the “minergate-cli” application installed and I could start mining most everything minergate allows.  I decided that the best currency to mine using a CPU is Monero.  Monero uses the CryptoNight algorithm which is supposed to be ASIC resistant.  This means that while my CPU is still slow it isn’t so slow that I cant at least make some Monero.

Are there any downsides?

Well, the truth of the matter is that the hash rate is pretty bad.  I’ve tried several different configurations with Cloud at Cost.  I’ve tried different configurations of CPU cores and RAM trying to squeeze the best hash rate out of them.  However, unfortunately, using the minergate-cli I’m only getting about 5 H/s per CPU core.  Through all my experiments I haven’t been able to get anything greater than that out of the vCPUs.

One thing I have found is that the minergate-cli tends to die every so often.  So I wrote a short script to check to see if it’s started and if it’s dead to open the application in a screen.

minergate_check.sh:

#/bin/bash#/bin/bash

case “$(pidof minergate-cli | wc -l)” in

0) echo “Restarting Minergate: $(date)” >> /root/minergate.log screen -d -m -S minergate /root/minergate_start.sh
;;

1) echo “Minergate running: $(date)” >> /root/minergate.log
;;

*) echo “More than one minergate running”
;;

esac

The script calls a simple bash script minergate_start.sh when it can’t find a process ID (PID) of the minergate-cli application.  That script is a simple one-liner that just runs the minergate-cli application with all the switches that I use to start mining Monero.

So I set this up as a cronjob to run every 5 minutes and check to see if the service is running or not.  So far this has worked like a champ for me.  When I review the log it looks like the service has to be restarted about once every hour or so.

Final Thoughts

The way I’m doing it now is never going to make me any money, but in all fairness, this is a sunk cost for me.  I bought this service a few years back for another project and I haven’t been using it since.  So in all honesty, I can’t complain much.  I’m not going to get rich on this but, at least I am learning something and I feel like I’m giving back to the community by confirming transactions and working on mining a really cool cryptocurrency.

Additionally, I am concerned that I may at some point be in violation of the Cloud at Cost terms of service.  I’m no lawyer, but the terms of service state that if your VMs run at 100% CPU for about 30 minutes they can shut down your VM.  I don’t know what that means for my account.  If I”m found in violation of the terms of service will the remove my account?  So far I haven’t had any issues, none of my VMs have been shut down for excessive CPU usage.

I like the Cloud at Cost model and you can’t beat the price.  When they have their big sales it’s a pretty good deal.  You can find more about their Developer Cloud on their website at www.cloudatcost.com.  It’s always nice to be able to spin up a cheapo server to do a test, but I’d never use any of these servers for a production application.

So what do you think, does anyone out there use Cloud at Cost or anything like it?

 

Time to Update all the Wi-Fi Things

So the internet has been buzzing today with the release of the new WPA2 Key Reinstallation Attack (or KRACK as it’s known in the community).  And I understand why; this may be one of the worst vulnerabilities I’ve seen this year.  I’ve spent most of today looking at this vulnerability and I’m amazed at how simple it is to completely bypass the encryption we have all come to trust in Wi-Fi.

KRACK Logo

What is KRACK?

At its core, KRACK is a vulnerability in the implementation of WPA2, which is the Wi-Fi encryption algorithm that almost everyone uses nowadays to protect the confidentiality of their wireless network.

KRACK exploits the WPA2 4-way handshake, which is the method that a host and router use to securely share a secret encryption key.  Each time the host connects to a network, a fresh key is shared and installed for that session.  By sending a victim host specially crafted Wi-Fi packets, the attacker can get the host to reuse a previously used key.  This is possible because there is currently no method to guarantee that a key cannot be used more than once.

What does this mean for the security of our Wi-Fi?

Well, essentially this means that if an attacker is within Wi-Fi range of your host, they could potentially decrypt the packets on your network.  In some instances, the researchers were able to even manipulate the data on the network using a man-in-the-middle attack.  However, this attack does not reveal your Wi-Fi password, so there is no need to change your network’s Wi-Fi password.

It’s important to note that if an adversary were able to conduct this attack against you, they would not be able to see any data that is encrypted by HTTPS or a VPN.  This is why I recommend that everyone use a privacy encrypting VPN (such as PIA; this is not an affiliate link).  Along with that, I suggest using the EFF’s HTTPS Everywhere plugin to ensure that you are using HTTPS in every instance.

On a final note, make sure that you are watching for updates to any devices that use Wi-Fi; a lot of the manufacturers will be issuing patches to fix this vulnerability in the coming weeks.  Ensure that you are logging in to your router to check if there are any updates and that you are installing updates on your laptops, desktops, phones, and tablets.

The researchers that found this vulnerability haven’t released the exploit code yet to give device manufacturers time to patch the vulnerability.  However, that won’t stop someone else from trying to recreate the code themselves.  I plan on downloading the code once they release it to play with the vulnerability.  If you’d like to read more you can visit the vulnerabilities website at https://krackattacks.com or you can download their white paper here.

They have also released a YouTube video displaying how easy it is to exploit the vulnerability and the impact of the exploit.  I highly recommend watching it, as they do a pretty good job explaining how the exploit works.

Advanced tshark Demo

Hey everyone, I had a student ask me the other day about a more in depth lecture on tshark.  His use case was being able to extract the request methods and URIs from a pcap file and if possible sort them.  So I thought that was a great idea and I created a bonus lecture for my Wireshark Crash Course on Udemy.  But I also thought that this would be useful to the general public so I released it on YouTube as well.  Let me know what you think!

The End of TrueCrypt

Well, that’s it guys!  TrueCrypt is no longer being developed.  I read the story earlier last week on Krebs on Security.  The developers of TrueCrypt shocked the entire community when they posted last week that development for TrueCrypt had ended and that TrueCrypt may contain unpatched vulnerabilities.  They have kept the code up on sourceforge.net but with instructions on how to transfer all encrypted data to Microsoft BitLocker containers.  Which I thought was really weird.

I’ve used TrueCrypt for years and I guess I never realized that the developers remained anonymous all these years.  It’s disappointing that this wonderful product will no longer be able protect our critical and sensitive files.  I’m sure there would be many developers out there happy to take on the continued maintenance of this product, but before that happens the current developers will need to change the license agreement.

Wireshark Crash Course Published

Wireshark Crash CourseI am incredibly excited to announce that I have finally finished and published my Wireshark Crash Course on Udemy.  This has been a project that I’ve been working on for a while now and I am finally finished.  You can catch a sneak peek by going to the Udemy Course Landing page here.  As readers of my blog, that link will give you a 25% off coupon for the course.  I cant wait to hear your feedback and as always if you have questions please shoot me an email or leave a message on this blog!

New Wireshark Course Almost Finished

So I’ve been developing a wireshark for beginners course for a few weeks now and I’m about 60% finished with it.  I’m very excited because this is my first online course and I have ideas for many more.  I’ll be posting again when it is finally published, but if you are interested in a sneak peak, signup for my newsletter on the side bar and I’ll send you an email with a coupon for free lifetime access to the course.

I’ve also been trying to drum up some conversation on what topics you would like to see.  So in the comments section, if you could have access to any online learning course, what topics would it cover?