Adventures of in the land of pixels and code

Your Own Personal Proxy Over Any SSH

Written on August 14th, 2013. Check out the comments and discussion, too!

If you have a web host or server that allows SSH, then you can probably set up a proxy to let you browse safely via that server. It’s quick, it’s simple, and it’s only a few keystrokes away.

Warning: Please read the disclaimer at the bottom of this post.

There are many cases where you want your web browsing to be (semi) private. You want to get around a firewall, you need to access a website from a public wifi without getting sniffed, or something else is blocking your access to the free web.

Well, if you have a web host or server allowing you to SSH, you can probably get around it. Before you start, make sure you know how to SSH into your server. Go ahead, I’ll wait.

OpenSSH (OS X/Linux, though PuTTY works for Windows too) includes dynamic forwarding functionality, which uses something called a SOCKS Proxy. This is the simplest form of a proxy you could imagine: supporting applications would go through a designated port for their data, and the client forwards it to the SSH server. Packets are sent forth, and the results are returned, again, via SSH.

This way, you gain the protection provided SSH: communication from your computer to the SSH server is fully encrypted and bypass pretty much everything. Note that it doesn’t encrypt traffic beyond the SSH server, as that is being transmitted normally over the net. But it will protect you for the other half of the way. The sites you visit will think you’re coming from your SSH server.

To start, simply go to your terminal and login to SSH normally with the added -D option set to a port number:

ssh -D 1234 user@server.example.com

The value doesn’t need to be 1234; it can be any valid port. Just make sure you remember it. You can also set a domain (-D 192.168.100.100:1234) to allow other machines on your network to use the proxy.

Leave the SSH session sitting open (or use -ND instead of -D to maintain a “silent” session). Your SOCKS proxy is now open on localhost:1234. By default, it’s on version 5.

SOCKS support can either be by OS or per app. To start browsing through it on Chrome, I suggest the Proxy SwitchySharp extension. After installing it, create a new profile and set a SOCKS host:

switchysharp

And enable it via the extension’s icon.

Boom. You’re done!

Note that you need SOCKS5 in order to route DNS lookups, which is pretty important if you need to hide what sites you’re browsing. At the moment, Proxy SwitchySharp seems to do this by default.

Important warning about relying on a proxy for security:
SOCKS is far from a “complete” solution. It is limited to TCP and relies on different levels of application support. If you need more control or more hiding, a VPN may work better.

If your goal is to circumvent censorship or protect yourself from network snooping, other, safer services such as Tor may be preferable. Tor hides all communication via multiple points, making it much safer. It is, however, slower.

This blog post isn’t a conclusive resource, and I’m not a security expert. Please make sure you are fully aware of the limitations and requirements of your setup and local laws.

Similarly, make sure you have permission from your hosting company before you do this. I use WebFaction, which allows personal use only. Observe your company’s Acceptable Use Policy and Terms of Use. If in doubt, email them for written permission.

Stop Dumbing Things Down!

Written on June 17th, 2013. Check out the comments and discussion, too!

Most users might want it easy, but others might just want it “their way”.

Back in junior high, I had the privilege of being part of a robotics club. We worked with a variety of kits, including an early Lego Mindstorms set. It rocked, and it pushed my “hobby” into a real thing I studied.

nxt-small

Picture via Wikipedia Commons under CC-2.0.

There was just one problem.

Mindstorm robots are programmed in a drag-and-drop interface. It was pretty good and covered all the features I wanted, and all the other kids had no problem understanding it.

mindstorms-nxt

Picture via this review from the IEE Spectrum site. I no longer have the original application.

I, on the other hand, had been programming in C and Javascript at the time, and doing something as trivial as a subroutine was very, very painful. The drag-and-drop interface only had the equivalent of goto.

goto

Comic of pure awesome via xkcd under CC-Attribution-NonCommercial 2.5.

It also didn’t really support variables; you had to “wire” lines between command boxes that needed variable input. And of course there was no such thing as an array or stack.

Don’t get me wrong. Sometimes limitations can be really good. For example, the robot kits and units could only support 3 motors and 4 sensors at a time. This limitation led to some very interesting challenges, such as figuring out how to build an omnidirectional wheel system. Out of legos. Those were fun times.

But I longed for my text editor. I hated using drag-and-drop; I could write a line of code faster than the 30 clicks-and-drags it would take to make a “block” in the GUI. Some people thrive with these easy-to-use interfaces — “drag-and-drop” itself is often used as a way to say “easy as all hell” — but there should always be an alternative for the geeks who already know how to do things more efficiently.

This happens everywhere. Pretty much any “web host custom control panel” will try to coax users into its own, custom, “totally easy to use without any practice” file management interfaces. Some rock, some suck. I bet the first-time users and non-tech people love them, as with some experimenting they can actually be pretty good.

freewebfilemanager

Here’s one (I’ve never tried): “freewebfilemanager”. Boy, that’s a mouthful.

But what about the geeks? I have my FTP app (I use Transmit), thank-you-very-much. And your fancypants “web 2.0” file browser can’t do things like mount a directory as a local drive. It can’t let me edit in place using my text editor of choice. Stop treating me like a kid, and give me the good stuff — let me FTP in!

Another example: How hard would it be for a web app to allow users to export their data in JSON or XML? PDF is nice, but sometimes I want it programmatically. It’s just parsing the data into a single formatting function.

When possible, always let there be logical, advanced options for the people who can use them. And I don’t mean adding complex APIs or developing libraries; as shown here, this applies most to tools that should already exist with little effort.

The Possible Flaw in the e-KTP System

Written on May 17th, 2013. Check out the comments and discussion, too!

Indonesia’s new electronic ID cards — the e-KTP — has come under a lot of fire recently (particularly with the minister for commerce insisting that photocopying the card will break it). Devs have been busy trying to make sense of the chaos, and my Google+ community managed to get some nice, technical answers.

It appears, however, that the controversy, slip-ups and confusion have hidden the true flaw in the system.

Disclaimer: all of this is speculation, since we haven’t reached the point where a flaw could be abused in the system. If I am wrong, please correct me (you can contact me here). I truly hope I’m wrong.

First, a quick recap on what this thing is. Here’s a guy holding up a pair:

Picture via Kompas. Don’t read the article, it gets even more confusing.

NFC-enabled, RFID-based “contactless” cards. Embedded in a few hundred million ID cards, distributed around Indonesia, starting last year or so. Right now, they’re not used electronically, but we expect that to change very soon.

The e-KTP system was designed to be an authentication tool. You put it on a scanner, scan your fingerprint, and that’s used to verify your identity.

Additionally, the data within is completely encrypted, with no useful information available to anyone with an NFC-enabled device. This stirred up a storm in the developer community: anyone wishing to read or interface with the e-KTP is required to have a special card reader, provided by the government, practically limiting their use to large businesses.

Or so they think.

The Flaw

Digging into the e-KTP specifications (available via third parties — for some reason these things aren’t available online) reveals this:

d. Keamanan (Security) terdiri dari beberapa hal sebagai berikut:
[…]
2) Mendukung autentikasi dua arah antara smart card reader/writer dan chip;
[…]
4) Algoritma Keamanan (Security Algorithm) bersifat simetris (symmetric) berdasarkan algoritma: 3DES dengan panjang kunci 168 bit, AES 128 bit, atau setara;

Translation: symmetric key encryption.
Explanation: Where one ‘password’ (okay, fine, a “key”) is used both to encrypt and decrypt.

Yes, all the data in the card — which includes the fingerprint data used to match up with the user, presumably to avoid requiring an internet connection (or a 24/7 online server) for authentication — is protected by a symmetric key.

To their credit, 128-bit AES is secure, and there aren’t any known flaws. A good deal of the world’s encryption relies on it. The issue is with symmetric key encryption itself.

It means every e-KTP reader machine contains the secret key to reading and writing.

Yes, not just reading. Writing. Which means fake e-KTP cards can totally happen.

There is simply no way that this will not happen. The card readers will be distributed around the entire country — there will be thousands of them. Protect the readers as you wish: once that secret key is embedded in a reader, it’s just a matter of time until a sufficiently dedicated individual — or organization, or government — recovers the key.

So what happens when the key gets exposed?

Identity theft.

First of all, a person possessing the key can — thanks to their contactless nature — press a reader (which, by the way, fits in a cell phone) to someone’s wallet, hope the signal passes through, and grab all the information on it. Or wipe the original card in the process.

Counterfeit cards are also an issue. With digital verification, it’d be much easier to disguise a card (say it fell into a river or something) and pass a person off as someone else.

Voting fraud is one thing. Impersonating a person at an airline check-in desk is a potential security threat.

To top it off, KTP cards have a 5-year lifespan. It would take up to 10 years to fully cycle all the cards to use a new, hopefully more secure, system.

I could be wrong!

First of all: it’s not defined in the specifications, but there’s a possibility I’m wrong all along — perhaps the fingerprint is the encryption key. That’d be completely brilliant, but nowhere near reliable: a person’s fingerprint is easy to obtain, so a sufficiently motivated individual could still obtain access.

The system could also be more complex, such as each card having its own encryption key, stored on a home server in Jakarta. Presumably, in this case, the key would have to be fetched by the internet whenever a e-KTP needs validation. And if the machine contains an API key (basically an access code to the server) to obtain said key, then there’s that vulnerability, too.

That said, when a system is said to be secured by symmetric encryption, the typical interpretation is what I explained above. There could be additional defenses, or there could be a specification sheet that I haven’t found.

Again, if you can enlighten me, please get in touch.

Potential Fixes

What really confuses the tech community — and many people I’ve talked to — is why the cards don’t just use asymmetric key encryption (i.e. public-key cryptography), where different keys are used for encrypting and decrypting. This would completely negate the issue of counterfeits — only card reading would be an issue, and let’s face it, the data is written in plaintext on the physical card itself. There’s pretty much no reason to hide that information in the first place.

And it’s not like asymmetric keys are advanced technology. They’re used every day — TLS, used by every website using HTTPS, is based upon it. It’s very well-understood.

At this point, though, the damage has been done. We won’t know how vulnerable the system is until it goes into practice. Hopefully a white-hat discovers the key before the bad guys do… And hopefully the government fixes the issue.

Or, you know, they might just change the secret key.

Gah.

The Best Monitor To Start With, Period

Written on May 11th, 2013. Check out the comments and discussion, too!

“What monitor should I get?” is probably the most common computer question I don’t have an answer for. While I can happily answer most computer-related queries (favorites being “yes”, “no”, and “pizza”), this one’s tricky. Monitors range from the cheap to expensive, have a million attached buzzwords and come in all shapes and sizes.

Thankfully, especially for my Indonesian friends, I’ve got an answer now. Bhinneka, the online electronics store, has started selling the Dell U2312HM: An Ultrasharp series screen with pretty much everything you could want. Get it. Get it now.

It’s gorgeous, amazingly flexible and gets the job done. Here it is next to my 21.5” iMac at my home office:

setup

While most monitor and TV manufacturers go gung-ho on random (and often insignificant) metrics — like contrast ratios and response times — this thing doesn’t cut corners. Let’s see:

  • It’s huge: 23 inches huge. 52x29 cm of screen space. And yes, bigger is better. Don’t let anyone tell you otherwise.
  • Swivel — you can rotate it vertical. I can’t overstate this enough. For programming, you can fit an absurd number of code lines on one screen.
  • 4 USB ports, and accepts VGA or DVI input.
  • Dell’s Ultrasharp line is their professional series of monitors. It’s for graphic designers, gamers and content creators. It’s one of the best out there.
  • Great (and by great, I mean accurate) colors. It took me a bit of calibration to be perfect, but it was close out of the box.
  • IPS. Well, E-IPS, but not a problem. You’ll have good viewing angles.
  • It’s so cheap even I was skeptical. It’s Rp 3,700,000 on Bhinneka, although it’s at $200 on Newegg.

It’s still pricy for a monitor — cheap office-level monitors can come for half the price. But this is Dell’s professional line, and it can do all sorts of acrobatics your average monitor can’t. There are a few drawbacks you may want to look out for:

  • No HDMI input. Could be a game-breaker, but not for me.
  • There’s an anti-glare coating. Some people might find it distracting. It practically vanished for me after using it for an hour.

Of course, better options exist if you want a bigger screen… Which, uh, would be the bigger Ultrasharps and Apple displays. It also doesn’t sport the best color accuracy out there, but it’s still excellent, and for a really tough price to beat.

Even if you already have another primary screen you love, consider this for your side monitor. It works even better that way.

If you’re on the fence for a new monitor — or you want a solid starting point to pick a display from, this is it.

Get it here from Bhinneka. I trust these guys very well.

Why Are You Going to College?

Written on April 29th, 2013. Check out the comments and discussion, too!

With the new academic year coming up, I’ve been asked to talk to fresh high school graduates about their education plans. Shockingly, a huge number of kids have no clue what they want to be when they grow up, but they go to college anyway. They don’t even know what department or faculty to take — they just want to be in it.

This, to me, is complete lunacy. If you’re a graduate aiming for a campus, make sure you know what you want. Otherwise, you cannot enter a university — no matter how prestigious or famous — and walk out a successful man or woman. Don’t let anything affect what you pick — take what you want to be.

Last year, I actually met an IT student from the so-called best university in Indonesia, who did not understand the concept of regular expressions. In disbelief, I asked, “so why did you decide to be an IT student?” His reply — forever a reminder that we’re lucky to be in a field fueled by passion — “because my parents told me IT pays well nowadays.”

As one of my mentors (I truly wish I remember who said this) told me a while back:

A student in college without a dream is like a kid with a wad of cash in a toy shop: he’ll wander around, look for the shiniest and most expensive toy, take it home, and give up trying to assemble it in a few hours.

Know what you want to be, and be it. Don’t follow anyone else.