Category Archives: FOSS & Open Source

Content Security Policy and WordPress

For your protection, I’ve been working on securing this website with all the proper security HTTP headers.  Of course, by running WordPress as the backend, I’m making it easy to manage all the data but making it difficult to manage all the pieces and parts of the system’s backend.  The largest problem I’ve found are the many inline javascript and inline CSS scripts that are in WordPress Core.

So far I’ve added the easy headers: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Referrer-Policy.  The complicated one, at least for sites using WordPress, is the Content-Security-Policy.  Unfortunately, the Content-Security-Policy is the best protection against XSS attacks.  As I pointed out above, WordPress uses several inline scripts and CSS instructions.  This means that I’d have to use “unsafe-inline” when describing what is allowed for scripts and styles.  Unfortunately, adding that negates much of the protections offered by the policy.

There is a way around doing this while still allowing inline scripts: using a nonce.  Of course this isn’t really possible with code that one doesn’t directly control, like the WordPress Core.  I did, however, find a potential fix that may be forthcoming that I’ll be monitoring.  This enhancement would allow for a plug-in to add a nonce to these scripts, thus allowing a Content-Security-Policy to be defined to allow those specific scripts.  Until then, I’ll have to leave this site somewhat unprotected like many (most?) websites are today.

Apps for Ham Radio Networks

You’ve built your mesh or 802.11 network to support your activity.  Now what?  Unfortunately, most client software doesn’t support peer-to-peer activities.  You have to have a server acting as the central repository and distribution point for your data.  Sounds complicated…

It can be daunting to make these resources available but it doesn’t have to be.  If you are already running a Linux-based operating system (sorry, Windows users but Microsoft will want you to pay an arm and a leg for what I’m getting ready to suggest and Microsoft software can’t do much of what I’m going to suggest, either) then you’re already most of the way to having your own server.  Most, if not all, of this software is already available in your distribution’s software repository for easy installation.

There are core software being used on the Internet, today, for moving data around.  Using the tools that most people are familiar with help make the overall network successful.  Obviously the first question should be “what are you trying to accomplish?”.  Setting up a camera on the network and sharing that data across the network is easy, mostly because the camera likely already includes its own webserver.  But how can you bring the rest of the tools into play to make your network even more useful?

Email

Email is fairly ubiquitous and everyone seems to know how it works.  There are three protocols you should be familiar with when dealing with email: smtp, pop3, and imap.  These are the services that handle routing and delivery of your mail.

SMTP

Simple Mail Transfer Protocol (SMTP) is an Internet standard for routing messages between email servers.  When you send an email, today, your client connects to an SMTP server and sends the message.  The SMTP server, after receiving the message from you, attempts to figure out how to deliver the message to the distant email server.  If the message is being kept locally (i.e. the recipient is on the same server as where you delivered the message) then the message is filed for delivery when the recipient queries the server.

Postfix LogoAn often-used SMTP program is postfix.  It requires a little configuration but basically “just works”.  Postfix will handle receipt of mail and delivery to the mailserver where your recipient is without further action from the user.

POP3 and IMAP

Post Office Protocol version 3 (POP3) and Internet Message Access Protocol (IMAP) are on the message delivery side of the house.  These are the protocols that allow a user to query the email server for mail.

POP3 basically forces a user to collect their mail and then delete it from the server.  By doing so, once downloaded, the user has the only copy of the message and the server is freed of the responsibility (and storage space) for handling the message.

IMAP, on the other hand, allows the user to download a copy of the message but, until deleted, the message remains on the server.  This allows the user to utilize multiple clients, with sorting into folders, and have that organization synchronized among all the user’s client software.

The Dovecot logoDovecot handles delivery of messages to clients using POP3 and IMAP.  Again, the software requires a bit of configuration but generally just works.

Web Server

Have a website you want to publish on your network?  Want to use a program to share files and other information?  You’ll need a webserver!

Apache Feather Logo.svgApache’s http server, commonly known as httpd, is very easy to setup and use.  Once installed, the server looks for files in your web folder (/var/www/html) and waits for a request from a client.

Want to share files and other information?

OwnCloud

OwnCloud is a suite of client-server software that creates a file hosting service and also allows management and sharing of calendar information, contacts, and more.  Because it’s far more efficient to share files using the http protocol, compared to email, and because files can be managed and synchronized among many computers through shares, using OwnCloud to manage files is far superior than using email.

Instant Messaging

Instant Messaging (IM) is an efficient and simple way of communicating short messages to other users in real time.  Some protocols allow peer-to-peer communications but usually a server is needed to facilitate the communications.

XMPP logoJabber, instant messaging software based on Extensible Messaging and Presence Protocol (XMPP) protocol, allows users to communicate between each other either person-to-person or in a chatroom where multiple people can participate.

Voice Communications (VoIP)

Using the session initiation protocol (SIP), one can handle VoIP “calls” over the network.  This can be between VoIP phones or between AT conversion boxes linking analog repeaters.  Unless you know exactly what phones are where, and your system isn’t growing, you likely don’t need a server.  But, if you plan on expanding your network and wish to have dynamic routing (phone numbers) then you’ll likely need a centralized server.

File:Asterisk Logo.svgAsterisk is a great private branch exchange (PBX) server allowing telephones to connect with each other.  Connections between the server and the clients are generally done using SIP whereas connections between Asterisk servers use Inter-Asterisk eXchange (IAX).

Connecting LANs

All of this information has been presented absent the network management infrastructure that helps make communications between easier.  Handling data on a single local area network (LAN) doesn’t necessarily require this kind of infrastructure but utilizing tools like DHCP, DNS, and others can be helpful.

Summary Conclusion

As you’ve seen, once you’ve built your network there are a few more challenges to making your network work for you.  This, however, doesn’t need to be an impediment and with just a little work you can make your network truly work for you.  You also don’t need any fancy hardware, either, as these tools can easily work on a laptop connected to the network for easy deployment.

All the suggested software is free and open source software (FOSS) which allows anyone to deploy the software for free (and allows you to make changes to the software if needed).

Securing email to Gmail

I’ve been working on securing my postfix configuration to enforce certificate validation and encryption on some known, higher-volume, or more sensitive connections between SMTP servers (port 25).

On many of the connections I’ve setup for secure transport there have been no problems (assuming proper TLS certificates are used).  Unfortunately Gmail™ has been a problem.  Sometimes it verifies and validates the certificate and other times it doesn’t… for days.

After conferring with Google Security I believe I’ve come up with a solution.  In my tls_policy file I’ve added the following:

gmail.com       secure match=.google.com:google.com ciphers=high protocols=TLSv1.2

So far this is working but I’ll continue to test.

If you run your own SMTP server and wish to maintain a secure connection with Gmail this is an easy way to enforce encryption as well as validate the certificate.  Of course this doesn’t protect the message while it’s being stored on the server or workstation (or on Google’s internal network).  To protect messages at rest (on a server) one should use GPG or S/MIME.  Using both TLS over the network between servers and GPG or S/MIME is beneficial to provide protection of the messages going over the Internet.

Update

This configuration is applicable with the OpenSSL version shipped with CentOS 6/RHEL 6.  Implementing this on CentOS 7/RHEL7 or another flavor of Linux may require a different/better configuration.
The policy has been updated for CentOS 7/RHEL 7 which supports TLSv1.2 on Postfix.  Other services can also be setup similarly:

google.com    secure ciphers=high protocols=TLSv1.2
comcast.net    secure ciphers=high protocols=TLSv1.2
verizon.net    secure ciphers=high protocols=TLSv1.2
hotmail.com    secure ciphers=high protocols=TLSv1.2

Linux, the Yaesu FT-1D, and the SCU-18

I had almost given up on programming my Yaesu FT-1D on my Linux computer.  The software provided by Yaesu wouldn’t work on Linux and CHIRP didn’t support the radio.  Well, CHIRP didn’t support it until now.  While it’s not official, their daily build claims to support the radio and that makes me excited.  But there’s still a problem.

The programming cable that is provided by Yaesu, the SCU-18, doesn’t seem to be recognized by my Linux system.  Well, it’s recognized but it doesn’t actually attach the device to a port so I can use it.

usb 3-1: new full-speed USB device number 12 using xhci_hcd
usb 3-1: New USB device found, idVendor=0584, idProduct=b03a
usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 3-1: Product: USB-Serial Converter
usb 3-1: Manufacturer: RATOC Systems,Inc.

and

Bus 003 Device 013: ID 0584:b03a RATOC System, Inc.

It turns out, the device appears to be a RATOC System USB60MB.  What Yaesu is shipping looks just like these devices except for where the 9-pin serial connector is there is actually some proprietary USB plug.

I think this is the only part that is holding me back.  I’m hoping to talk with a few people tomorrow that can hopefully help remedy the problem.  I feel that I’m really close to a solution, though, and hope to make this process easier for other Linux users out there.

SouthEast LinuxFest 2014 – Day One

After a crazy cab ride from the train station I arrived at a hotel that is in the general area of SouthEast LinuxFest (SELF) but not co-located.  *sigh*  This side of Charlotte isn’t as pedestrian-friendly as it could be.

The first day (Friday) of SELF was pretty good.  I generally stayed close to the security track which included talks on DNSSEC, IPv6, and a history of information security.  All very interesting and, specifically the IPv6 talk, got my head going.  Being a former network guy I hadn’t had to think about the impact and possibilities of IPv6 on enterprise networks and the infrastructure that resides on those networks.  I also learned of a “new” firewall that deserves a closer look.

On the Fedora front, I was able to work on a few Docs Project pieces that needed some collaboration to get straight.  I’m also talking up my thoughts on implementing a process to help manage (and close) security bugs within Fedora.

I’m hoping day two is just as good as today was.

PGP Keysigning Event and CACert Assertion at SELF2014

SouthEast LinuxFest is happening this upcoming weekend.  I offered to host a PGP (I’ll substitute PGP for GPG, GnuPG, and other iterations) keysigning and CACert Assertion event and have been scheduled for 6:30 PM in the Red Hat Ballroom.  Since there is a little bit of planning needed on the part of the participant I’m writing this to help the event run smoothly.

Participating in the PGP Keysigning Event

If you haven’t already, generate your PGP keys.  Setting up your particular mail client (MUA) is more than what I’ll discuss here but there is plenty of resources on the Internet.  Send me (eric@christensenplace.us – signed, preferably encrypted to 0x024BB3D1) the fingerprint of your PGP key no later than 3:00PM on Saturday afternoon.  If you don’t send me your fingerprint by that time you’ll be responsible for providing it to everyone at the keysigning event on paper.  Obtaining your key’s fingerprint can be done as follows:

$ gpg --fingerprint 024bb3d1
pub 4096R/024BB3D1 2011-08-11 [expires: 2015-01-01]
 Key fingerprint = 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
uid Eric Harlan Christensen <eric@christensenplace.us>
uid Eric "Sparks" Christensen <sparks@redhat.com>
uid Eric "Sparks" Christensen <echriste@redhat.com>
uid Eric "Sparks" Christensen <sparks@fedoraproject.org>
uid [jpeg image of size 2103]
uid Eric Harlan Christensen <sparks@gnupg.net>
sub 3072R/DCA167D5 2013-02-03 [expires: 2023-02-01]
sub 3072R/A9D8262F 2013-02-03 [expires: 2023-02-01]
sub 3072R/56EA1030 2013-02-03 [expires: 2023-02-01]

Just send me the “Key fingerprint” portion and your primary UID (name and email address) and I’ll include it on everyone’s handout.  You’ll need to bring your key fingerprint on paper for yourself to verify that what I’ve written on the paper is, indeed, correct.

At the event we’ll quickly do a read of all the key fingerprints and validate them as correct.  Then we’ll line up and do the ID check.  Be sure you bring a photo ID with you so that we can validate who you are with who you claim to be to the authorities.  People are generally okay with a driver’s license; some prefer a passport.  Ultimately it’s up to the individual what they will trust.

CACert Assertion

CACert is a free certificate authority that signs X509 certificates for use in servers, email clients, and code signing.  If you are interested in using CACert you need to go sign up for an account before the event.  Once you have established an account, login and select “US – WoT Form” from the CAP Forms on the right-side of the page.  Print a few of these forms and bring them with you (I hope to have a final count of the number of assurers that will be available but you’ll need one form per assurer).  You’ll need to present your ID to the assurer so they can verify who you are.  They will then award you points in the CACert system.

Questions?

If you have any questions about the event feel free to ask them here (using a comment) or email me at eric@christensenplace.us.

Open Source Libraries

An article on Opensource.com caught my attention today.  The article focused on developing and using open source solutions in libraries.  Libraries are one of the places where openness and sharing go hand-in-hand.  Why more open source software solutions aren’t found there I don’t really understand.

Take my library for instance.  There are ten computers there for the public to use.  These computers are running old versions of Microsoft Windows and old versions of Internet Explorer.  The software is so old and antiquated that I’ve actually had problems using some web applications on these computers.  The library also uses the SirsiDynix software for its ILS solution.  This software offers one of the worst search I’ve ever experienced.  Even if I know the title of the resource I’m looking for it doesn’t generally help in locating the resource in the database.  The system also lacks a history feature so you can obtain a list of items you’ve checked out.  It would also be nice if their system integrated with the state’s electronic library so that a single search would show books (and media) available locally as well as electronic versions available from the state.

I want to take a closer look at Koha and see if their ILS solution is any better.  If it is I may approach my library management people with this solution.  I will propose they use Linux (Fedora?) for their public computers as it will yield a more secure and better web-browsing environment at less cost.  Libraries support sharing and learning and should take advantage of the sharing and learning that comes with open source software.

CHIRP – Open source programming of your amateur radio

Cross post with Radio W4OTN blog

A screenshot of CHIRP

CHIRP

In the past I’ve been frustrated by a lack of Linux-supported software for programming my amateur radios.  Sure, the Kenwood software that they gave you to use would kinda work under Wine but it’s Wine and who wants to operate under that?  Last year I discovered a project that aimed to solve my problem.  CHIRP is an open source alternative to other pieces of software that allow you to program your radios.  Supporting many of the current radio models, this software allows you to create your channel list and then use that on every radio you own.

Last year when I tried the software it wouldn’t program frequencies in the 70-cm band correctly.  That bug has been fixed and many features added as well.  There are even static lists of frequencies one might want to include on their radio including the FRS channels, 60m channels, NOAA weather radio channels, and others.  The software even interfaces with online frequency repositories making it easy to program repeaters into your radio when you are traveling to a new area.

The software is available for Linux, Mac, and Windows and is currently available in the Fedora software repositories (sudo yum install chirp).

An open source eReader?

After poking around the Indie Bound (independent book sellers) website looking for a book I noticed a button for e-books.  Curious as to how that works with small bookstores I selected the link and started reading up on their eReader, the Kobo eReader.

I did a quick read on the Kobo and discovered it uses the open standard ePub file format for its books.  Sure, there are other eReaders on the market that do that but how many also publish their source code repository?  At least some of their code is licensed under the Apache 2.0 license!  That’s fantastic, in my opinion, and makes me forget about the Kindles and other eReaders out there that beg for my money.

I’ll be doing more research on this product as my local bookstore, The Annapolis Bookstore, sells the devices and the eBooks.  As I do more research I’ll report back on what I find.