OK Go having fun with optical illusions


Google gets snarky with app permissions



I was trying to find an exercise app the other day and eventually decided on one that required minimal permissions -- in particular, full Internet access wasn't listed.  After installing the app, I was surprised to see ads.  I dug a little deeper and found this snarky update from Google:

Note: These days, apps typically access the Internet, so network communication permissions including the “full Internet access” permission have been moved out of the primary permissions screen.
What?!  Are you serious?!  One of the most potentially dangerous permissions is no longer even listed when installing Android apps?  It's like Google is giving a green light to every malware/backdoor/stalker/advertiser slimeball developer.  Lame!

I mean seriously, if I wanted NSA to know my every move I'd just install the Moves app or wear those disturbing fitness wristbands and be done with it.

An additional legalese clause is even more sinister:
Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group.
When an app updates, it may need to use additional capabilities or information controlled by permissions.
If you have automatic updates enabled, you won't need to review or accept these permissions as long as they are included in a permissions group you already accepted for that app.

In other words, if I allow full Internet access (that's now stupidly grouped in the generic Other group) for an app that legitimately needs it, I've now implicitly given the app owner permission to write to my Google+ account (among many "other" vague things):

Double lame! (and misleading, unethical, and possibly illegal)

Google, you can keep your "simplified permissions" -- give me back my privacy control!


In addition to already disabling auto-update, it looks like I'll need to manually check the full permissions from now on.



Box.com (the other box)


Every time someone mentions cloud storage they're usually referring to Google Drive (15 GB free space) or Dropbox (2 GB free space).  While those two services are excellent, I've also found Box.com (10 GB free space) to be a nice option for sharing and collaborating online.

MobaXterm surprisingly powerful


You may have noticed there aren't too many Windows developers out there.  Why is that?

It's probably because unless you're developing a .NET or Silverlight application, it's a royal pain to set up all the useful tools needed for developing:

  • Remote Desktop Connection
  • PuTTY
  • SSH
  • Mosh
  • SFTP client
  • Git
  • dig
Fortunately, the free tool MobaXterm combines all that functionality into a nice, concise, portable package.  Check it out!

Setup tips:

Make sure to include the following plugins: Curl, DnsUtils, Screen, tmux, X11Fonts, Zip

Also, include the nano plugin  (credit)

In addition, use this git plugin since it contains additional optional configs, such as subtree and stree.

If you need only Node.js you can install the official plugin.  However, if you need Node.js and npm, use this plugin.

Right-click http://curl.haxx.se/ca/cacert.pem and save as "ca-bundle.crt" in the MobaXterm directory.  Then open MobaXterm and run git config --global http.sslcainfo ~/PATH/TO/MobaXterm/ca-bundle.crt

Create a Windows environment variable named CURL_CA_BUNDLE and set the value to C:\PATH\TO\MobaXterm\ca-bundle.crt (log out and back into Windows to apply)

In the MobaXterm Settings > Keyboard shortcuts menu, change keyboard shortcut for switching tabs to use Ctrl+Shift+LEFT / RIGHT arrows  (the default right/left arrows setting will change screen orientation instead on some laptops)


P.S. My only complaint with MobaXterm is that it doesn't change the solid cursor block to an empty outline block when the application loses focus.  This is a handy visual cue in PuTTY that reminds me to click on the screen before typing, if needed.

P.P.S. CashBabun and cmder also look promising

P.P.P.S. Check out this nice post by Jeff Geerling that covers many pitfalls of Windows development

Sophos Antivirus for Linux


Depending on your needs and paranoia, you may want to install an antivirus client on Linux.  Sophos has a nice client but their installation documentation was a bit sparse.  Here are some helper notes for RHEL 6.5:

  1. Upload the sav-linux-##-i386.tgz file to your Linux server
  2. cd /tmp
  3. tar -xzvf /PATH/TO/YOUR/sav-linux-##-i386.tgz
  4. sudo yum -y install /lib/ld-linux.so.2 gcc make kernel-devel-`uname -r`
  5. sudo sophos-av/install.sh
  6. sudo /opt/sophos-av/bin/savupdate
  7. sudo /opt/sophos-av/bin/savconfig set EnableOnStart true
  8. sudo /opt/sophos-av/bin/savconfig set AutomaticAction disinfect
  9. sudo /opt/sophos-av/bin/savconfig add AutomaticAction delete
  10. sudo /opt/sophos-av/bin/savdctl enable
  11. Test to make sure it is working by running this command: curl -o /tmp/eicar.com.txt http://www.eicar.org/download/eicar.com.txt ; cat /tmp/eicar.com.txt   (you should get a warning stating 'Threat "EICAR-AV-Test" detected in file' -- hit enter to acknowledge)

Note: if you use your own update source and have a secondary URL:
a. sudo /opt/sophos-av/bin/savsetup
b. Choose option 1  (Auto-updating configuration)
c. Choose option 5  (Configure secondary update source From own server)
d. When prompted, enter the URL
e. Choose option q  (Quit)



Mohmal - my new favorite temporary email service


Temporary email services are (by nature) always in flux.  It's a game of cat and mouse - marketers try to block them and new ones spring up in their place.  My current favorite is Mohmal, which can generate a user-selected or random email address that self-destructs after 45 minutes (you can also manually delete it).

If you need longer than 45 minutes, you can click the renew button or use Fake Mail Generator (which keeps the account for 24 hours).

chkrootkit install and daily scan


Here's a quick one-liner to install chkrootkit and have it run daily:

sudo yum -y install chkrootkit && sudo printf "#"'!'"/bin/sh\necho '###' \`date\` \`hostname\` >> /tmp/rootkit.log\n`which chkrootkit` -q >> /tmp/rootkit.log\n" > /etc/cron.daily/chkrootkit.sh && sudo chmod +x /etc/cron.daily/chkrootkit.sh

Log file:  /tmp/rootkit.log

Secure RHEL6 with OpenSCAP


If you're a brand new Linux server administrator and you don't have a strong handle on the plethora of security risks and remediation steps, OpenSCAP is a nice starter tool.

I couldn't find a nice guide for Fedora / CentOS / Red Hat Enterprise Linux 6 so I put one together:
(note: I recommend trying this on a backup or test machine first)

1.  Install the scanner engine:
sudo yum -y install openscap openscap-utils 
2.  At the time of this writing, there wasn't an automatic fix for the "Control-Alt-Delete" behavior so apply fix manually:
sudo sed -i 's/exec \/sbin\/shutdown -r now "Control-Alt-Delete pressed"/exec \/usr\/bin\/logger -p security.info "Control-Alt-Delete pressed"/' /etc/init/control-alt-delete.conf
sudo sed -i 's/select idref="disable_ctrlaltdel_reboot" selected="true"/select idref="disable_ctrlaltdel_reboot" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
3.  Unless you're running a server for the government, you don't need their login banner so disable that rule:
sudo sed -i 's/select idref="set_system_login_banner" selected="true"/select idref="set_system_login_banner" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
4.  Scan your server for potential issues (this is a simulated run only, no changes will be made to your server)
sudo oscap xccdf eval --profile stig-rhel6-server-upstream --results /tmp/oscap-results.xml --report /tmp/oscap-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
5.  If you have a browser installed on the server, you can open /tmp/oscap-results.html.  Otherwise, copy /tmp/oscap-results.html to another machine, open in browser, and search for Remediation script sections for any fail or error entries.  If any of those fixes are not desired, repeat step 4 above replacing set_system_login_banner with the desired Rule ID.

6.  Once you have disabled any rules that you don't want applied, you're ready to fix your system!  Run the scan again using the --remediate flag to automatically apply fixes provided for your server profile (note: not every issue has an automatic fix):
sudo oscap xccdf eval --remediate --profile stig-rhel6-server-upstream --results /tmp/oscap-results.xml --report /tmp/oscap-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

7.  Repeat step 5 above and review any remaining errors or failures you may want to fix manually.



P.S. If you want to take your security to the next level, you might want to check out Linux Malware DetectModSecurity, and Suricata/OSSIM

Security issue with Lubuntu 14.04


Important: due to a security bug, Lubuntu versions 12.04.1 through 14.04 do not check for security updates or display the Software Updater utility on a periodic basis.  To fix, run this in your terminal:

echo @update-notifier >> ~/.config/lxsession/Lubuntu/autostart