Old Wisdom, Bad Wisdom: Play Hard to Get

Written on Sun, 12 June 2016

We have heard the old adage told by older women to young ladies, play hard to get to protect yourself.

It certainly has its merits:

• You want to be sure that man really wants you
• You want to be wanted
• You make sure those who are short-termed interested are filtered out

It does make sense in this light. Yet have we also considered the consequences?

Play hard to get, and you will be treated like a trophy when you are gotten.

I'm not sure about you, but I'm pretty sure most ladies still want to be loved even after marriage. No wife would want to be a decorative ornament in a big grand home.

Playing hard sends a very wrong message, that relationship is a game, and you're the prize. You're not a walking badge beside him, a trophy in the kitchen, a status for him to brag.

Does the old wisdom still hold its place in our modern culture? I believe it does, but with much less importance. Ladies should consider that love works both ways. While ladies seek to be loved, men seek to be respected. Ladies, do what you need to know that your man loves you, and respect him as your man, your husband, you lover, your companion for life.

However, each one of you also must love his wife as he loves himself, and the wife must respect her husband. - Ephesians 5:33

Dark Energy and where does it come from?

Written on Tue, 7 June 2016

Dark Energy has been a subject that is heavily researched on till today, for a very simple reason; We have absolutely no clue what it is.

Now, before we get to it, let's clear out some misconception about it:

1. It is not dark matter. They are not the same, despite sharing a common word.
2. It is not dark. We are not talking about visible light here. The dark represent something that is currently unobserved, unknown, and not fully understood.
3. It is not magic. Need me explain more?

Ok, so we have cleared out some of these misconception, what do we really know about it? To even begin with, we must first understand the background of how we came to realise it.

The universe is expanding

We know that the universe is expanding because we can observe that galaxies are moving away from us. The stars in the milky way isn't expanding with the universe because the gravity pull from the black hole in the middle of our galaxy is holding everything together. But just about everything else in the universe is.

The galaxies are not just moving away from us, but they are moving at an accelerated rate. That's where things get weird. It's not supposed to.

Gravity pull is suppose to slow down the expansion

Gravity is such an attractive force that it will pull everything to itself. Just as our milky way is held together by a strong gravity, the universe expansion should slow down and eventually collapse. Just as you pull a rubber band, it's elasticity will eventually snap it back together. In order to prevent it, you need to apply energy. And even more so if you want to pull the rubber band at an accelerated rate (assuming you have a rubber band that can stretch forever).

So what is causing the universe to expand at an accelerated rate?

Secular scientist call it Dark Energy, or anti-gravity as it does the opposite effect of gravity resulting in a constant expansion of the universe. Many details of it remain speculative. Evidence of it comes from indirect observations.

What does the bible say about it?

It is He who sits above the circle of the earth, And its inhabitants are like grasshoppers, Who stretches out the heavens like a curtain, And spreads them out like a tent to dwell in. - Isaiah 40:22

The bible has indicated that God is responsible for the "stretching" and "spreading" of the universe "like a curtain" and "like a tent" respectively. Through the bible, we know that the universe has been expanding before modern science validates it.

This goes against the creation myth that the universe is eternal and unchanging, as scientist once thought. The idea of an expanding universe would have been considered nonsense to most scientists of the past. Yet, the same bible, that taught about an expanding universe in the past, is still being validated by modern science.

While we know that God is responsible for the expansion of the universe, His methods and ways are still a mystery to us. Thus, we still call it Dark Energy. Perhaps one day, we will know better as we advance through science.

Why port forwarding is bad?

Written on Mon, 30 May 2016

How many of our home routers have port forwarding for services like baby monitors and cameras? Maybe you set up a FTP server so that you can access your movies on-the-go.

But did you know, that is opening up your home systems for attack. It only takes 1 device to be compromised for the rest of the dominos to fall.

Why is it bad?

Devices such as baby monitors are built for the primary purpose of serving its function. It was never built as a network security device. It certainly has the basic security such as authentication, but that's usually the only thing.

On top of that, firmwares for these devices are not regularly patched, much less updated on the device itself. Any vulnerability discovered would likely stay vulnerable for a very very long time.

How do other devices get compromised?

It takes only 1 device to be compromised for the rest of the devices in the network to be compromised. Take for example, if you have a file server contain your accounting data. You have no port forwarding set for the server, thus, you assume that an incoming connection from the internet is not possible. But your port-forwarded IPCamera got compromised and it's on the same network as your file server. Since the IPCamera can connect to your fileserver, it's only a matter of time that the authentication on your file server is broken.

What should be done instead?

Instead of port forwarding directly to your devices, implement a hardware firewall in your network with VPN services. Firewalls are dedicated network security devices. They live for that one purpose and only that purpose. The software and/or the firmware of these hardware firewalls are regularly patched from vulnerabilities. Within its own settings, you are usually able to set automatic updates from the vendor. In your router, you might still need to port-forward to the firewall, which is fine if that is the only device you are port-forwarding. Hackers are stopped right at your firewall. Check your vendor if port-forwarding is required.

So how do you connect to your devices without port forwarding to it directly?

Here's where Virtual Private Network(VPN) comes into play. Most of us consumers who have used VPN before would think of it as a way to bypass country-restricted content like Netflix. But that's not the only thing VPN does. It connects your device on the internet back to your firewall, and allow it to connect to other devices as if it is on the same network.

A properly implemented VPN is extremely secure. It usually implements 2048bit RSA encryption, something that will take the current supercomputer more than 1 000 years to crack. Even if your encryption key is compromised, such as theft, you can immediately disable the encryption key to that device. The thief will no longer be able to access the VPN from that device.

So if you have baby monitors, IPcameras, or other hosting services for your personal use, use VPN.

Where do I get a hardware firewall?

There are commercial providers such as Fortinet that comes with annual subscription. It can be a tad-bit too expensive for small startups and home users, and maybe too complex to administrate for a network with less than 20 devices.

Other alternatives like Untangle offers a load more flexibility. Untangle is entirely open-sourced, so techies will love it. For the everyday consumer, you will love how easy it is to use.

The open sourced edition is free, as in beer, forever. It uses a freemium model where only enterprised services have an annual fee. The only cost you have to worry about, is the hardware. You can reuse most old hardware as Untangle firewall. You probably just need to install another network card so that you have 2 ethernet ports. You can work with 1 etherport, but it's complex to setup and less secure. Check out the minimum hardware before you build it. If that's not an option, you can buy an affordable appliance that comes with 1 year warranty. Annual subscription and extended warranty is optional.

Untangle uses OpenVPN for VPN services. It's an already proven technology that is able to bypass certain port blocks, as it uses the standard port 80 instead of specialised port that can be easily blocked by ISPs and wifi providers. Just create a client and you will be able to download the encryption certificate for your devices. If you are using Windows, it comes with the client itself. Otherwise, you might want to read the documentation for your device, such as android or iOS, on how to instead the certificates. You might need to port forward TCP/UDP 1194 on your router to your firewall, and that should ever be the only port forwarded. Check with your ISP, vendor, or network administrator if this is required.

Once you are connected back to your LAN, freely browse to your device IP address.

Why is this so important?

We are living in a world getting more connected than before. Our devices at home are more internet-enabled than before. We are already at the age of Internet of Things, where every little thing, from our kids' toys to the common refrigerator, is now connected to the internet.

The sole responsibility of network security does not lie with the manufacturers of these things. We are equally responsible for the network security of our homes. Take this simple step to secure your home or small office network.

The Kindness Chain

Written on Mon, 30 May 2016

Has someone just given you an act of kindness? Thank that person. That person might have just received kindness from someone else, and thus has passed the kindness baton onto you.

The kindness baton is now with you. What will you do?

Pass it on?

Keep it for yourself?

Questions! Questions! Is there even a need for questions? The power to change lies in you. Pass on, make a better world. Keep it, the world just gotten a little dull.

Pass on that baton to another person. When the other person thanks you for it, say this: "Do the same kindness to another person". Let the other person decide whether to pass the baton or not. You have done your part of complete the kindness chain.

Let's Encrypt the internet

Written on Fri, 20 May 2016

Every website should have https option. In fact, it should be the default. But how many times have we seen that https cert costing a lot, and even the free certs require 30 days regular renewal. Some offer 90 days renewal, but that's aside the point. Certs require maintenance.

But we can thank Internet Security Research Group, a public benefit corporation, for providing the internet with free and hassle-free certificates. ISRG is sponsored by many organisations, from non-profits to Fortune 100 companies. A full list of sponsors can be found here.

Important

One important thing to note is that this is not Extended Validation(EV) certificates. EV certificates can be obtained from Comodo. These certificates require additional verification beyond the technology, which is why it's particularly important if you want to conduct online transactions. Your customers need to know that the website(YOU!) they are transacting with, is trusted.

Alright, so let's get started to install certs for our web servers. If you had followed my tutorial on setting up a web hosting site, this tutorial is exactly for you. If you had set up your own web server under different configuration, the tutorial here should still apply to you for most part. For more information, you can go here to find a specific instruction for your build.

By the end of this tutorial, you will have:

• certbot installed
• All sites in your server instance to have https enabled, if you didn't proceed to revoke.
• All Certificates installed will automatically renew every 90 days.
• Bonus: If you have piwik installed from previous tutorial, you can force SSL on it.

What you need:

• You need to have a web hosting site already running. You can follow my tutorial on setting up a web hosting site to get you started.
• Some linux knowledge

Installation

Let's start with installing the certbot to Ubuntu 16.04. SSH into your server. All commands are done on root account. Prepend sudo if you are not in root account.

apt-get install python-letsencrypt-apache

Automated installation

Let's run the installation programme:

letsencrypt --apache

On the first screen, it will prompt you for which sites you would like to install certs to. Choose all that you want to. As for me, I picked all my sites.

Next, you have to enter your email address.

Be sure to read all the legal terms and conditions of usage before you proceed to install the certificates. Especially the rate limits. If you agree, just select agree on your SSH console.

Now it's going to prompt you whether to set https as the only connection or allow both http and https. For me, I prefer to use both and instead leave it to individual application to redirect to https. Choose the option which you prefer.

That's it for the installation. You are set to use https. You can verify your ssl is working with https://www.ssllabs.com. Your Certificate will also last you 90 days. It's also a good idea to regularly backup /etc/letsencrypt folder.

In case you can't connect to https, be sure to check your aws security groups and allow port 443 to your instance.

Automated Certificate Renewal

Since your certificate will only last you 90 days, you need to regularly renew your cert. Now, here's the part where Let's Encrypt does magic better than most other free certificate providers. It will automatically renew for you, which is as good as a permanently free service.

Let's do a test run on certificate renewal to see if any errors occur:

letsencrypt renew --dry-run --email [YOUR-EMAIL] --agree-tos

Make sure you clear away any errors if you encounter any.

If there is no error, you can proceed to set automatic renewal through cronjob:

crontab -e

Add the following to the cronjob entries:

30 */12 * * * letsencrypt renew --email [YOUR-EMAIL] --agree-tos

This will run the renewal twice every day, recommended by their documentation. It is advisable that you run the renewal process on a random minute. I guess this is to ease their server load for being hit by renewal request when the clock strikes a particular minute.

That's it! You now have a permanently free SSL cert for all your websites. If this service has benefited you, do consider a small donation.

Revoking a certificate

If you ever need to revoke a certificate, here's how you can do it:

letsencrypt revoke --cert-path /etc/letsencrypt/[path-to-your-cert]

If your cert is placed elsewhere, do modify the path accordingly.

Your cert will no longer authenticate with the Certificate Authority after awhile. That's it.

Conclusion

This is by far the easiest way to install certificates I've ever experienced. It practically does everything for me. I don't even need to know how to generate keys, or configure anything on Apache. It just works.

Great job, Let's Encrypt

Bonus: Force SSL for Piwik

Did you follow my tutorial on Piwik Installation? If you did, you can force Piwik to use https everytime. It's highly recommended that you do so, so that you can protect your login credentials from being in the clear during transaction.

Browse to your piwik installation configuration folder

cd [path-to-piwik-installation]/config

Edit the config.ini.php

nano config.ini.php

Add the following under [General]: (or edit the line if the settings already exists)

[General]
force_ssl = 1

That's it! Your Piwik installation will now use https whenever it is browsed. You have made your site secure and the internet a little bit safer.