OpenID Connect

At work I’ve been doing a ton of Single Sign On, SAML, and certificate based authentication. I wanted to try that out for my own personal use. It turned out to be much easier than I expected.

I’ve already blogged here about updating my site certificates using StartCom SSL. Another free service they offer is an OpenID Connect certificate.

The process is actually pretty straight forward.

To get started with StartCom in the first place you have to download a client side certificate into your web browser. This is a file that you must keep on your computer and must protect. When your web browser connects to StartCom services it presents this certificate and says “Here I am”. Since you should be the only person with that certificate StartCom can say “OK, come on in”. 

This is nice because you don’t have to remember a username and password. The downside is that you have to keep this certificate handy to load it onto each machine you connect from. An encrypted USB key can be handy for this. You have to figure out how to make your Operating System and Browser combination present this certificate as an identity cert. Often this is an advanced setting in the browser that allows you to import an Identity Certificate.

OpenID Connect takes this to the next step.

StartCom knows who I am and knows my certificate. As a provider of web services (bbbburns.com WordPress) I can make the decision to allow in certain users that an OpenID provider has authenticated. I downloaded the WordPress OpenID plugin, and tied my ID of bbbburns.startssl.com to my WordPress account.

When I login to my own WordPress site now I can just type in “bbbburns.startssl.com” as the user and hit Login. The site redirects me to startssl.com for authentication using my client certificate. If successful, I get redirected back to bbbburns.com with an authentication assertion. Since bbbburns.startssl.com is tied to my WordPress account on the server I’m automatically logged in as this user.

The setup for all of this took just a few minutes!

URL protocol specifier

Woah – why didn’t anyone tell me I could replace https:// or http:// with JUST // to preserve the protocol on the current page?

I didn’t know about it until I saw YouTube embed links using it.

This is amazing news. I’ll have to go through and update my blog posts to see if this breaks anything.

BTC Trading Insanity

I’ve been flailing around trying to figure out how trading BitCoins works. I haven’t really DONE any trading – but check out these crazy graphs over at BitCoinWisdom.com. There is so much going on. Click on all the things. You’ll see.

Tech Weekend – HTTPS Everywhere

To improve privacy and security HTTPS should be used everywhere. It SHOULD be the default option. Unfortunately this isn’t always the case. Even worse, you have no idea what the browser is doing behind your back. For instance – this site you’re reading now is going off and contacting Google Analytics and downloading images from other locations. If you trust me (the author) you can assume I’ve typed in those URLs as HTTPS instead of HTTP, but why trust me when you don’t have to?

DISCLAIMER: I know my site cert is self-signed. I’ll get to a CA signed cert eventually. Deal with it ;) (edit 2013-12-ish: I took care of this with a cert from StartCom.)

HTTPS Everywhere is a browser plugin that can be used to solve this exact problem. Load the plugin into Firefox or Chrome and off you go. The most common sites are automatically converted from http:// in your address bar to https://.

But WAIT – it’s of course not that simple. Let’s take Google as an example. Here is the default Google search URL

http://google.com

So what is the secure Google search URL?

https://encrypted.google.com/

Thank you security for ALWAYS making my life more complex than it needs to be. So if we want a plugin that can convert the most popular sites from http to https we need a long list of rules that are site specific. The plugin comes with these by default.

Now let’s say I’m a WordPress Admin and I want to make sure I ALWAYS log into the following instead of the http site.

https://bbbburns.com/blog/wp-admin/

This is where I type my password in to the cloud based server so it had better be over a secure connection. Unfortunately the EFF / plugin does not know who I am so there is no bundled rule for my site. I have to write my own.

Now we get to the whole point of this post. All of the instructions for writing your own custom HTTPS Everywhere rules are for Firefox. No rules exist for Chrome.. UNTIL NOW. Also – the rules are extremely technically detailed on the syntax, but leave me wanting more when they describe which files to change and where.

Writing HTTPS Everywhere Rules for Google Chrome Browser

Take THAT search engine. No .. really.. take it.. I hope someone finds this useful. The EFF instructions are missing the following pieces.

Search for your rules

Search on your computer for the default.rulesets file. This will get you in the right directory. I found mine here: (I converted all backslashes to forward slashes because of a funky problem I was having with the post)

C:/Users/user/AppData/Local/GoogleChrome/User Data/Default/Extensions/<random string>/2013.10.16_0/rules/default.rulesets

This file was pretty long and I didn’t want to edit the thing directly. I wanted to just take my OWN custom rulesets file and load that. Luckily it looks like the following file can do exactly that. I’ve added the second entry and created a new file with that name custom.rulesets.

C:/Users/user/AppData/Local/GoogleChrome/User Data/Default/Extensions/<random string>/2013.10.16_0/rule_list.js

var rule_list = [
"rules/default.rulesets",
"rules/custom.rulesets",
];

That allows us to have our rules for converting http://bbbburns.com to https://bbbburns.com. Here’s what I entered into the custom.rulesets file.

 C:UsersuserAppDataLocalGoogleChromeUser DataDefaultExtensions<random string>2013.10.16_0rulescustom.rulesets

<ruleset name="BBBBBurns">
  <target host="www.bbbburns.com" />
  <target host="bbbburns.com" />

  <rule from="^http://(www.)?bbbburns.com/" to="https://bbbburns.com/"/>
</ruleset>

Save those files and restart Chrome and you’re on your way to a more secure browsing experience. If there are sites you visit that HTTPS Everywhere doesn’t encrypt by default you can add these rules.

I recommend saving your custom file and the rule list in your “Development” directory or “scripts” or “hacks” or whatever you call it because surely this is all going to be blown away when Chrome auto updates. That’s just my assumption looking at the folder names above which seem version specific.

I think this concludes the Tech Weekend for me this weekend. Stay tuned for posts about password managers, two factor authentication, and PGP encryption and signing for email and other things.

Tech Weekend – TrueCrypt

Since I have a BitCoin Wallet now I figure I should probably have an encrypted offline storage mechanism for all the keys and the wallet file itself. If best practices have been followed then your Wallet is password protected already, but let’s go ONE MORE step and encrypt them on a USB drive.

So far TrueCrypt rocks. The user interface is extremely unhelpful to n00bs up front but once you straighten things out it should prove easy to use.

Here we see that I’ve mounted the 100MB file F:/SwissMemory-100.tc as drive S. Drive F is where the USB key actually is and Drive S is the new virtual encrypted drive.

  1. Download True Crypt
  2. Download True Crypt Key and Signature (another blog post for PGP)
  3. Verify signature with PGP tool of choice
  4. Install
  5. Plug in your favorite USB drive
  6. Choose the Create Volume button and a Wizard launches
  7. Select encrypted volume and make a .tc file of the desired size on the USB key. If you just want to store some small files you can make a pretty small volume. It’ll be a small opaque file on the USB drive. There are other options to encrypt the entire volume but honestly my resume and other assorted files on there don’t need encrypting. This means the USB drive can still be used in other computers without TrueCrypt installed. You’ll only need TrueCrypt to get access to what you keep in the encrypted part.
  8. Create  a long ass random password for the volume. (LastPass is what I’m using for this. Another blog post is required for comparing password managers).
  9. Change the TrueCrypt preferences to auto open Explorer window for mounted volume.
  10. In TrueCrypt select your newly created .tc file to mount as a drive letter. You’ll have to enter that super long password again. This should cause the folder to open automatically on your desktop.
  11. Copy all of your important files into this folder. It’ll show up as a new drive that you can manage natively from your PC.

There you go – now you’ve securely stored your key files and wallet files. If you drop the USB drive somewhere it’s safe from prying eyes and your BitCoins won’t be stolen.

This DOES NOT protect you from someone either extorting you to provide the password or an agent of the law / court  ordering you to provide the password.  In this case a Hidden Volume would be required to have plausible deniability that any encrypted volume EVEN EXISTS.

Check out this pretty cool TrueCrypt article on what they call a hidden volume. It’s neat how they do it.

Tech Weekend – Barley

I realized I’ve been seriously neglecting my blog. Mike Rundle (@flyosity) posted a quick link to Barley showing they had Word Press support. I watched the video and was pretty impressed. WYSIWYG editing for a blog. I just GO to the site and can start typing into the web page. AWESOME!

 

I’m having some difficulty so I’m not sure I’m going to keep using it, but if they fix some bugs I could be on board. I could probably try a different browser and see if that helps. Using Chrome now.

  1. Sometimes when I highlight text I don’t get the popup to take an action.
  2. When you DO highlight text and get the edit box to pop up for a link you’re still not guaranteed smooth sailing. Moving the cursor outside the popup causes it to disappear. I do this often because the popup has http:// auto filled. I’m going to copy my link straight from the URL of my other open tab so I need to select the pre-filled http:// and delete the damn thing. If I click and drag outside the tiny popup it goes away. CTRL-A has become my answer for this. Instead just don’t prefill http:// dudes :(  
  3. The Publish option isn’t even available! I’m writing this in the standard editor now. to finish it up.
  4. When you insert a YouTube video the video preview doesn’t show right away so you just have a big white space where you HOPE the video will go.

Here’s what I mean about the size of the pop. I usually start by clicking on the right and dragging back to the left. I’ve only got about 8 pixels or whatever of run off on the left before fiery popup death. Very frustrating.

If all these get fixed though that’ll make me more likely to blog. After going through and reading this list again I’m initially disappointed. I’ll give it more time before I throw in the towel.

Tech Weekend – BitCoin

Project #1 Today: BitCoin

Today’s first item on the agenda was to figure out how BitCoin works and then invest some money into the thing. I had thought that anonymity was a cool part of BitCoin but it looks like if you ALSO want the convenience of sitting in your underwear at home you’ll need to give some of that up.

Step 1.  Research Research Research

Lots and lots of reading. I read pessimistic articles, positive articles, neutral articles, articles by fanatics (the true anarchist BTC believers online are a bit nuts), articles that focused on tech, articles that focused on the economics of it, all sorts of reading and videos.

Conclusion: Seems potentially legit but risky. Possibility for extreme shady activity but ALSO possible for regular transactions. Subject to wild ass price fluctuations. Be prepared to have your financial or legal ass handed to you if you’re not careful and try to do something stupid. Don’t do anything illegal.

I learned that you need to have a secure wallet with a secure backup, or use a trusted online wallet. Coinbase.com is a generally respected online wallet and Multibit is a trusted lightweight personal wallet. Backup your shit onto a DVD, USB, paper, whatever if you’re going the personal route. Learn how PGP signatures work. Learn how secure mail and messaging works (this part is just for fun – not really required).

At this point you should now have a wallet with an address.

Step 2. Get some BitCoins (BTC)

This part is where you’re making a trade off between anonymity and ease of use. You could go to a face to face person local to your area willing to trade cash for BTC. This preserves your anonymity but you’ll have to put on pants. Also – this person is essentially a money changer so I believe they have certain things they have to follow or else they’re in a shady financial / legal area.

I think we’re at a self discovery point. I value my anonymity less than I value the convenience of remaining pantsless! Other semi-anonymous cash transfers are things like the CVS money exchange.

So let’s trade in my anonymity for convenience and a more ethically firm approach. Coinbase.com comes up again as a site where a Bank Account can be linked by ACH transfer. Once you verify your identity you have some trade restrictions lifted and get the ability to perform immediate transfers from USD to BTC and back.

So we’ve done an ACH transfer between Coinbase and our bank account. You’ve gotta have some serious trust here at this point because you’re disappearing real world money for cryptographic  virtual assets. Gird your loins – you just typed your bank account info. It might be preferable to setup a small real world bank account with just a bit of cash in it for this exact purpose rather than linking your life savings to this site.

At the end of this step we should have some fraction of a BTC based on how much money we foolishly threw to the wind. You can keep this money in the online Coinbase wallet, you can spend it at merchant, or you can transfer it to another wallet offline.

Step 3. Transfer to another wallet (just for fun)

I purchased 0.1 BTC today just to see what would happen. Turns out that was roughly $100 USD.  Enough that I felt I have some stake in things and so little that I wouldn’t mind if “terrible things” happened. As I write this it’s now worth $108 USD. ANYWAY – we have the money sitting there in an account. Now you can send some portion to another wallet via a BitCoin Address which might look something like

1Brrp5ExbE1XrNUi93Qv8yY8TFnKj6bgBX

Feel free to send BTC to that address by the way if you found this article useful ;)

Let’s look at that address. BitCoin uses something called a shared ledger. You can think of this as a big checkbook for EVERY transaction. Everyone has a copy of the checkbook and to make updates into the checkbook you need to be cryptographically verified. This means EVERYONE can see EVERY transaction. So that account above – let’s see what it’s been up to:

That account has a .001 transfer into it as the only history. Here is where the BitCoin Address comes into play. If I spent from that address you could track my actions. Coinbase has a way (that I don’t understand yet) to have the transfer out come from a different address than the transfer in. That’s an anonymity best practice I’m still trying to wrap my head around.

Step 4. ???

Here I don’t really know. I guess buy some things with your BitCoins. Hold onto them for a while. Cash them out immediately. Whatever you want to do, so long as you don’t forget to report any profits on your taxes! I’m interested to see if CoinBase will provide any documentation to me at the end of the year to facilitate claiming any loss or profit (like my stock accounts do for me now).

Step 5. Bask in your new-found knowledge

Now you know a thing or two about BitCoin. Annoy your friends (like I’m doing RIGHT NOW). You can hang out in the SubReddit for BitCoin or watch the SUPER boring FinCEN / Senate hearing which had some interesting parts.

Tech Thanksgiving

Work has been insane lately. Big projects all happening at the same time and things going wrong unexpectedly. I’m writing because I finally have a 4 day break from work. 4 days is just long enough to stop thinking about all the stressful things I’m confronted with during a normal day.

With these 4 days I’m planning to really enjoy my time with serious geeking out. Here’s the list of tech items I’d like to hammer out:

  1. MySQL inside my blog AWS server has been crashing. I added a swap file to my t1.micro instance that’ll hopefully fix this.
  2. Amazon RDS? Maybe a dedicated database instance. Who knows?
  3. I want notification when my cloud services stop working. Either I want to do this with the Amazon Cloud Watch APIs or some external service. I’ve tinkered with the APIs and they seem a bit complicated for my single blog setup.
  4. Barley Editor. Done!
  5. BitCoin. I’m interested in security and what is more interesting than a crypto currency? Right now 1 BTC = $1035 which seems insane. It’s just skyrocketed lately so maybe not a good investment now. Needs further investigation.
  6. Video games? Probably.
  7. Shopping for snowboard equipment. Not geeky really – but still something I want to do.

 

2013-12-15 update: I added some swap space and haven’t had any trouble since.

WordPress Update and Open Sans / Clear Type

I had a serious issue after updating my blog to the Word Press 2012 Theme. The font looked like CRAP on my home PC and my Work Laptop. Doing a little bit of research on the new Open Sans Font I learned I needed to go to:

Control Panel > Display > Adjust Clear Type Settings

Once I turned on Clear Type and calibrated it, Open Sans stopped looking like a steaming pile of Lego poo and started looking pretty good. The side effect is I think the rest of my fonts got a little fuzzier, but I’ve been at work a long time so maybe coming back tomorrow will help me out with that.

If you read my blog and notice the letters i and l and t look all blocky and crappy and thicker than other letters then give the Clear Type settings a try.

Amazon AWS – LARGE Instance

I recently got it into my head to migrate to AWS and Gallery3. As part of the migration to Gallery3 I stupidly converted all of my image resize versions to 640×480. This is pathetically small but only took overnight on the web server under my desk.

With everything now on the AWS server I thought it would just be a snap to crank them all back to the 800×800 resize versions. Boy was I wrong! Using a T1 Micro image gave me GREAT performance for the first 10 seconds, then I was throttled back on performance so that it would take DAYS to convert these 8000 image resize versions.

My top output showed 98%st, or 98% hypervisor stolen time from my virtual machine. No CPU for you!

Here’s a pretty good blog that describes how AWS Micro instances allow you to burst up to 2 processors for a short time.

I watched my steal time go through the roof after just a few images were processed!

Never fear though – this is a problem that can be solved with MONEY and time. I had a bit of both this Saturday morning (and some coffee!).

I took an AMI snapshot of my web server, created a new instance based on the LARGE template (7.5GB of RAM and 4CPUs!!!!) and said.. “Hey run my disk image on this large platform”. Now I can convert images to my heart’s content. However, this costs me about 34 cents an hour.. so once I’m done I’ll take another snapshot and say “OK, run these disks on the micro instance again. I’m done with all that extra horsepower.”

4 cores is WAY more CPU than I need… but I only get charged while I’m using it, and maybe it will speed things up. It’s easy to switch back and forth too!

With Elastic IPs I don’t even have to muck with DNS.

I just say “Hey Amazon, make my public IP point to the large instance, or small instance.” Then it’s updated on the fly. Very cool stuff!