Computer Security, Privacy & Functions – An Overview & Questions

Recent events in the computer services arena have reminded me again of some loose ends in my postings. I’ve got nothing on how to set up your own Web Server (so not dependent on someone like WordPress) nor how to set up your own email server (which is a PITA to admin as the SPAM load becomes gigantic), nor how to do secure “Social Media” (as until a week ago I never ever did ANY “social media” as it is by definition just a giant personal security exposure). Is any of that of interest? I’d just figured likely not.

My general view tends to be biased toward setting up shops for companies (as I’ve done that more than anything else). I’ve also avoided “Desktop Services” for the simple reason that they are almost 100% Microsoft based; which makes them “icky” in a very very large way, and IMHO they are insecure from the start. While I suspect this is from TLA (Three Letter Agency) influencing operations, it could just as easily be incompetence. In either case, the general feeling of repugnance it gave me kept me away. So I tend to see the world with a “back room” bias.

With that bias stated (so folks can adjust for it), here’s my view of Secure Systems Needs and some generalized comments. The whole idea here is to generate feedback. This is how I order things, but you WILL have different desires and opinions. So “what am I missing?”. What is the bit you really want that I’m ignoring. What is the thing I’m clearly caring about where you just don’t give a damn? Put up your wish list. Not saying I’ll do anything about it, but I will consider it for future postings.

So is your crying need for a monitoring proof telephone? Not needing a TLA proof system, just a way to pop a DVD or CD into your laptop (to boot something other than Windows since otherwise you just defeated yourself) and have a secure “computer to computer” telephone call? (Skype without the Big Brother problems) Or do you want a dedicated SBC (Single Board Computer) that sets up a VPN to your friend and lets you swap files and chat / IM (Instant Message)?

Here’s my view of the lay of the land, ordering of things:

Properties & Processes desired in a secure system.

Properties:

1) Hardware & Software not subject to TLA/Vendor compromises (“backdoors”)

2) Secure (encrypted / hidden) data storage

3) Anonymity – of person. of machine. of services. of location.

4) Secure (encrypted) communications methods

5) Hack proof / resistant services.

6) “Chatty” about suspicious activity / hacking attempts. (IDS / IPS).

Processes, Procedures & Materials:

1a) Hardware. Biggest threats are USA TLAs (Intel chips) and China (just about everything else fabbed / assembled in China.) In general, folks building small appliances like routers, cameras, and firewalls are very “close to the hardware” and spot anomalies early and often. Hardware for desktop use gets less scrutiny. It is better to use boards that are intended for non-desktop use. For that reason I’ve focused on the Raspberry Pi and the Korean boards from Odroid. In theory, the Korean boards are a bit more hack proof, but are also a bit harder to “make go” with smaller user community and less software choice. Until proven otherwise, either board ought to be “safe enough” for anything not in the “Spy vs Spy” arena. Other boards, like the Orange Pi family, ought to be similar, but being sourced / fabbed in China are by definition suspicious. I’ve had several encounters with things from China arriving from the factory “pre-hacked”.

1b) Software. Open source, widely available and strongly inspected for security. That would be BSD first and foremost. OpenBSD, FreeBSD. They are hardened and more secure than just about anything else available to the general public. OpenBSD in particular. They are NOT without risk. There is always the chance of a creative attack on an unexpected bug. (“Bug” does not necessarily mean “software error”. Many classes of attack are really attacks on an unexpected interaction of software or hardware choices. It is often the case that good well written software can have an unexpected interaction that was not foreseeable. While system Crackers work to find those obscure edge cases, systems programmers work to eliminate them just as fast. But BSD is hard for a novice to install, configure and operate. A very close second is Linux. I would avoid SystemD based Linux as it opens a large attack surface on a key part of the system that is NOT well understood, nor well inspected by many eyes, nor well proven in decades of use. In short, it’s a unknown risk on a key and large attack surface. Not good. For that reason Devuan on a Raspberry Pi is my base system, with BSD second.

2) Data Storage. LUKS is the usual Linux encrypted disk method. A system can be built on a LUKS encrypted disk fairly easily. Any disk volume can be encrypted as well. Individual file encryption has even more choices. As just a quick sample, this is the result of asking Devuan what commands have something to do with encryption (on a system where I’ve not yet installed luks):

cbc_crypt (3)        - fast DES encryption
crypt (3)            - password and data encryption
crypt_r (3)          - password and data encryption
des_crypt (3)        - fast DES encryption
DES_FAILED (3)       - fast DES encryption
des_setparity (3)    - fast DES encryption
e4crypt (8)          - ext4 filesystem encryption utility
ecb_crypt (3)        - fast DES encryption
gpg (1)              - OpenPGP encryption and signing tool
passwd2des (3)       - RFS password encryption
symcryptrun (1)      - Call a simple symmetric encryption tool
xcrypt (3)           - RFS password encryption
xdecrypt (3)         - RFS password encryption
xencrypt (3)         - RFS password encryption

There are others. An examination of the choices and decision tree is in order, I think.

3) Anonymity is usually supplied by using TOR / Tails. The Onion Routing network. Using a VPN service can also help for “lite weight anonymity” in that it masks IP and point of origin and moves your identity information to the VPN service provider (often in a different National Jurisdiction). TOR is a well defined and established service. Are there others? Better? Worse?

4) Privacy of communications divides into a couple of types. One is the direct machine to machine communication of bits. The other is person to person via things like email and “chats”. For machine to machine, TOR is the extreme case. It hides both the bits in the communication and the “contact trace”. Who is talking to whom? IF you do not care about hiding the existence of the connection, a simple encrypted VPN (Virtual Private Network) works fine. They are widely used in businesses. Individuals can use them in places like coffee shops to have an encrpted link between their laptop and a remote server that then originates their traffic to the internet propper. (Thus blocking packet sniffers in the coffee shop from seeing what’s in the data packets).

For private person to person communications, one can use a drop box or direct file stransfer of an encrypted file (so a letter might say “read this” and have all the real information in an attached encrypted file.) For that to work, you must have a way to exchange encryption keys that is secure; or use “Public Key Encryption”.

There are also several providers and methods of Public Key encrypted email. That’s a place I need to search and settle on a provider. This also has the burden that you must creat a “Public / Private Key Pair” of a paragraph or two of bits, and configure / save / secure them; then exchange them with others doing encrypted email. Most people are too lazy to do this, so encrypted email has not taken off in any big way.

Related is the notion of encrypted chats and telephony. IP Telephony is now common. Just running it over an encrypted VPN between two sites is sufficient. If desired, the workstations themselves can negotiate an encrypted link. Avoid software like Microsoft Skype as it is highly likely to be TLA compromised. There are open source alternatives that I need to list and describe. (I’ve not done this just because I’ve never wanted nor liked the Skype like services.) My Family tends to use Apple Facetime, which has historically been fairly secure but locked to Apple platforms. I’m not sure that security can continue to be assumed.

5) Secure Services: TBD. There’s a lot of very IN-secure services. Google Chrome loves to get you to stuff your data onto their servers and use their (remote hosted…) software services. All of that is highly suspect. ANY Cloud data storage is a bit suspicious and a big risk (unless you have encrypted the “blob” before you stick it there). Similarly, having all your written documents and photo processing on remote services just means there is a huge risk of meta-data (who what where…) being collected or text key word scanned. In general, local processing on a secure BSD or Linux box for things like text, images, spreadsheets, etc. ought to be secure. The LibreOffice suite provides most of these and GIMP is good for photos (if a bit complicated and obscure – but then again most image processors are…) Beyond those, just what services would be desired? Not a lot for me.

There are infrastructure services I think are critical to have in house. DNS server is one. This lets you CHOOSE your “upstream” DNS provider (so your ISP doesn’t by default know everyone you look up) and you can use advertising blocking sources by default. In addition, you can block whole IP ranges from returning results. Do you REALLY want to connect to servers whose IP originates in China? Afghanistan? Iran? (parts of Virginia and Washington DC?… just sayin’…) Similarly, having control of your own router lets you “kill” routes to places like Russia. Riddle me this: WHY would the DNC server or Hillary’s server be connected to a network that even allows routing to Russia? At least force the system attack to come through a USA, Canada, or EU VPN provider where you might have some cooperation in tracking it. To me this is “basic essentials”, but YMMV and most folks think about it exactly never.

The biggest insecure “service” is the typical web browser. Collecting loads of “cookies” and “beacons” and having all sorts of Java Stuff running beyond your control. (“Dancing Java Craplettes” was my name for them, now mostly turned into auto-run video crap.) There has been progress of an optional sort… First off, TOR makes available the TOR browser. It is, near as I can tell, the only really secure browser. But to make a browser secure is to break many of the functions folks have come to expect. JavaScript, for example, gets turned off. Any site running JavaScript now fails. Similarly, Flash is a security issue so ought to be removed. In the end, I find it best to just limit the use of Web Browsers to a dedicated system where you do nothing else. Periodically scrub and reset it. I also spread my browsing around between a half dozen browsers on 3 or 4 otherwise uninteresting platforms (an old recycled Mac, a Pi, a Tablet that only looks at Youtube videos and browses) but that is likely more than most folks care to do or need to do. Just realize that first and foremost you must have at least ONE computer where you do things that you expect to be secure, and NEVER EVER use it for browsing or public email. (That is, only use it for any email that is inside the shop only, on a self run email server NOT an outside vendor, or via VPN to other closed shops. Have a different email server and ID for that use than for your “internet persona”. Never the two shall meet.) I likely need to describe an appropriate model architecture for this use case. Explaining the difference between an open full function browser, a “private browsing window” inside of it, an isolated browsing station, and TOR might also be of benefit.

6) Most folks in the home environment are blissfully unaware of their computing and communications environments. They want it to “just work” and otherwise be silent. Yet there is a constant shit storm of hacks, cracks, and system attacks underway. A better way of doing things is to have your overall system / site “nag” you about that. This is the realm of IDS Intrusion Detection Systems / IPS Intrusion Protection Systems. From the simply home ISP provided router / firewall up to full on IPS / IDS dedicated packet inspection engines; it is a large and very complicated topic. How often have you looked at your router statistics to see the number of “broken packets” it dealt with? There are many kinds of attacks that depend on particular kinds of distorted data communications packets. If those stop “at the gate”, fine, but if they show up “inside your house”, a red alarm ought to go off. (Either you are being hacked and successfully got through the ISP -Internet Service Provider- firewall, or you have defective network gear inside.). I’ve pointed to some of the open software choices in a prior posting, but not gone into detail. Is there really interest in the details?

In Conclusion

So that’s the way I see things. It is a huge and terribly complicated field. I see it from the belly of the beast. That is unlikely to be the best point of view.

Is there something that in your POV (Point Of View) is missing? Is there something I covered, but in such a jargon heavy way your eyes glazed but you would like a “human friendly” do-over? Or would folks rather just go back to talking politics and who is tossing mud at whom lately? ;-)

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , , . Bookmark the permalink.

16 Responses to Computer Security, Privacy & Functions – An Overview & Questions

  1. seabrznsun says:

    As a low tech grandma, I was wishing just the other day that I could understand half of what you spoke about in your articles. Way above my head. Interesting reading always. Occasionally I’m able to grab a tad here and a tad there. I just want my little iPad and iPhone world to stay safe.
    Thanks for all you do for those who benefit from your knowledge.

  2. E.M.Smith says:

    @seabrznsun:

    FWIW, the iPad and iPhone are among the best security you can get without a headlong plunge into the world of Tech and “DIY *Nix” like Linux nor BSD.

    The non-Tech parts of my family live on them.

    You can avoid 95%+ of all the attacks just by avoiding Microsoft and Android. That may change in the future with Apple getting more market share, and with the increasing pressure from the USA & China on Apple; but so far they have not presented evidence of being compromised by governments. (Beyond compliance with China inside China).

    There’s a “dirty little secret” about Tech:

    It isn’t monolithic and you can just nibble off bits to conquer. The only thing folks with lots of skill have, that you don’t, is “time in seat”. Now, since lots of the turf tends to re-invent every 5 to 10 years, anyone can pick a new bit and be just as good as anyone else in about a year. For an old area, you start in and in about 4 years you are ahead of 5/4 ths of the field.

    Take, for example, DNS. It takes about 2 days to learn most of what there is about DNS and setting up DNS servers. Want to be a DNS Goddess? Dedicate a weekend to it… It will NOT be an entertaining nor fun weekend (unless you are the Geek sort ;-) but that’s the workload.

    So just pick one small part of the turf that matters to you. Then take a machete to it and start whacking the weeds out of your way. Pretty soon you will be the “local expert” in that one thing.

    Take, for example, writing computer programs. In my “Intro to Computers” class I loved to point out that the first programming language I learned was Knitting from my Mum. She had books of “how to knit a sweater” and other things. That IS a programming language! It has “subroutines” (where it says “repeat sleeve 2 x ” and has a block at the bottom of how to knit a sleeve) and it has a main program (the thing that calls out those subroutines) and on and on. ANYONE who can knit from a book already understands the basics of programming.

    About then the women in the class would wake up and smile and the men would look perplexed ;-)

    I really enjoyed that moment. Realize that women were two of the key programmers in the history of computing. Ada Augusta Countess of Lovelace was the first programmer ever. Rear Admiral Grace Hopper invented the COBOL programming language.

    https://en.wikipedia.org/wiki/Ada_Lovelace
    “Between 1842 and 1843, Ada translated an article by Italian military engineer Luigi Menabrea on the engine, which she supplemented with an elaborate set of notes, simply called Notes. These notes contain what many consider to be the first computer program—that is, an algorithm designed to be carried out by a machine. Lovelace’s notes are important in the early history of computers. She also developed a vision of the capability of computers to go beyond mere calculating or number-crunching, while many others, including Babbage himself, focused only on those capabilities ”

    https://en.wikipedia.org/wiki/Grace_Hopper

    In 1954, Eckert–Mauchly chose Hopper to lead their department for automatic programming, and she led the release of some of the first compiled languages like FLOW-MATIC. In 1959, she participated in the CODASYL consortium, which consulted Hopper to guide them in creating a machine-independent programming language. This led to the COBOL language, which was inspired by her idea of a language being based on English words. In 1966, she retired from the Naval Reserve, but in 1967, the Navy recalled her to active duty. She retired from the Navy in 1986 and found work as a consultant for the Digital Equipment Corporation, sharing her computing experiences.

    We also get the word “bug” from when Grace Hopper pulled a bug out of a relay in one machine and corrected the operation. It was a literal bug in the machine!

    While she was working on a Mark II Computer at Harvard University in 1947, her associates discovered a moth that was stuck in a relay; the moth impeded the operation of the relay. While neither Hopper nor her crew mentioned the phrase “debugging” in their logs, the case was held as an instance of literal “debugging.” For many years, the term bug had been in use in engineering. The remains of the moth can be found in the group’s log book at the Smithsonian Institution’s National Museum of American History in Washington, D.C.

    So do note that just like “Grandma COBOL” Grace Hopper: There is nothing in computing that stands in the way of women or age.

  3. seabrznsun says:

    As usual, you’re inspiring. Thank you ☺️

  4. p.g.sharrow says:

    @EMSmith; We have been exploring this path thru the forest of possibilities, for 6 years? The SBC Pi running Devuan OS seems to be a good foundation to work from. A secure VPN would seem to be the next logical step. My family is using ICQ, now a Russian provider, for private direct communication. I should think something in this vein should be the next step. A primer or class in creating some kind of secure communication network based on the SBC that can do anything would be the next step. Security must be built in, both in the equipment and the users work habits..
    You have seen my fancy “computer lab”, that upper screen has the Raspi-3 mounted to the screen. The lower one is a Intel-MS box. While I seem to be trapped into the Microsoft world because of others needs I know that it is a dead end. A new way must be established. …pg

  5. Steve C says:

    – Another Wise Woman is Elizabeth ‘Bess’ Rather, co-founder of FORTH, Inc and keen worker on and proponent of the language over the years. She now lives (according to Wiki, where she gets a thin page) to Hawaii, where I hope she enjoys a long and happy retirement.

    I’ll be interested in as much as you can find the time and energy for on any or all of the above. I recall reading a few years ago that Richard Stallman’s laptop had an open-source BIOS – perhaps you could also have a reference page of handy links to interesting or useful stuff like that which turns up as we go along.

    Also, I’ve read a couple of times in recent months of people apparently ‘losing’ images and other documents from their servers, so maybe a general server security overview would also be of use. On both those occasions my own immediate mental response – I have never run a server – was “You put your actual original source material on the server??? 8-0 – but it does sound like there is a general need for a little more enlightenment …

    Roughly how many Raspberry Pis will we need for a full setup? ;-)

    Re. secure email, I have used paid-for Hushmail for several years now and am well pleased with it. Virtually no spam (worth paying for by itself), no fuss, excellent customer service even to a mere ‘home’ user. Their security stance is that they will bust you to the authorities if they see evidence that you are using their service for illegal activities, but thay they do not otherwise respond to ‘fishing’ requests, which is OK by me.

    Usual disclaimer, no connection except as satisfied customer, etc. ;-)

  6. seabrznsun says:

    Thanks for another name Steve C. I’ll add “Bess’s name to my list of things to check out to further broaden my knowledge base.

  7. D. J. Hawkins says:

    We have a plethora of devices at home. I am, somewhat be default (my diploma has the word “engineer” in it), the sysadmin. Without dedicating boxes or buying off-site services, how can I best secure my little corner of the sky? We recently changed to Optimum for internet access. Imagine my surprise to find they have blocked Port 80, which my Replay TV needs to get the channel information from my provider. I’m “girding my loins” to hassle Optimum about unblocking the port, and now I wonder if that’s a good idea. Your thoughts?

  8. E.M.Smith says:

    @Steve C:

    How many R.Pi boards? Depends on what you want to do and total workload. I think you could likely get by with just 2 or 3 (but 2 would depend on having a router / firewall you trust); but it could easily run up to 1/2 dozen for folks like me ;-)

    Where I see “isolation of functions” and not just “size of workload” divisions that are better with dedicated hardware:

    ISP Router – provided by ISP usually and sometimes not in your control.
    On this “ISP” or DMZ network I would have my email server / gateway (if using my own)
    Also any VPN server for “phone home” VPN use
    Any external Web Server if you wanted one
    Any Proxy Servers (for things like caching web pages and isolation of attack surfaces)
    Optional DNS server (it can be on your “inside” network if desired to be more protected)

    At present I have my DNS server, Web Proxy server, Web Server (minimal pages) and a couple of experimental things running in that DMZ mode on an old Raspberry Pi B+ (single CPU 700 MHz…) and it is idle about 95% of the time…

    Then your “interior router”. I’m using a NetGear, and it seems adequate. At some point it will be better to make a “roll your own” Access Point / Firewall / Router via a single Pi board; but unless really really worried, having a commercial product (one where you DO update the software…) is good enough (unless dealing with TLAs…)

    On this “private” or inside network, I would have at least one Server Pi and one Desktop Pi. Then some “disposable system” for various browsing. This can just be a “chip” you swap into the Desktop Pi that just has a browser and not much else. When done browsing, you reset the chip if desired or just do basic cookie tossing ;-) getting rid of the crap that crawls down your computers throat when it visits strange places. The Desktop Pi is either a completely separate board or just a separate chip / disks. It NEVER is used for things that are not private. If really worried, the “Browser” system is only used on the “ISP” or “DMZ” network, so that even if compromised, they can’t see “inside the house net”. If a distinct chip, then when in use your “private side” chip and disks are powered off anyway, so secure.

    Perhaps I need a section on “security practices” in how you operate things ;-)

    So I’d put the minimal set at 2. One DMZ Pi and one “Desktop Pi” with chips swapped for “Desktop that is it’s own server” and one for “Browser and dodgy stuff”.

    Better would be a dedicated server box so that can be offloaded from the Desktop Pi (and still be running for things like IDS / IPS and file server). At that point, you really only need more if you have the workload to support it (i.e. box getting slow) or want a particular service up all the time (like a personal email server or VPN target or bittorrent server or TOR server node… )

    Now I’m more hard core and don’t mind extra $35 hardware, so I’m figuring on a “role my own” access point router firewall, and a couple of dedicated servers for VPN and such. That bumps my number up to about 6. But at that point I’m actually finding it hard to get them all busy.

    They spend most of their time “off”… (Just the DMZ Pi is 24 x 7 x 365 as it is DNS and Web Proxy to everything in the house on all networks) Do note that most secure sites mandate you use a Web Proxy Server as they enhance security a good amount AND cut web traffic down a lot via cache operations. By having a proxy that is locked down talking to the web (“ports” closed for non-web functions like email or chat or 1001 other things) the attack surface is reduced to just the port 80, 8008 or 8080 web ports:
    https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

    I chose Alpine Linux for this server as it is already a hardened router type release. It’s a bit different to configure (has router behaviours like you MUST explicitly save config changes to the archive state or it will reset to that last saved state on a reboot – useful if someone hangs the box – just reboot and you are reset.) and has many functions already secured.

    Being behind a NAT firewall from the ISP also means inbound traffic only goes to the originating IP address, so all HTTP / HTTPS goes to the proxy server (a locked down router / firewall board) and only then do valid HTTP / HTTPS bit get sent on to your Desktop browser.

    Until a few days ago I had an inside server, but had only configured it to run a file server. That Orange Pi chip corrupted and doesn’t boot, so now I’m just running my “disk farm” on my Inside Desktop Pi chip in one Pi board and only when I need those disks. I’ve mostly been just using 2 chips and the rest of my “kit” has largely been off / ignored as I’ve been busy. I think that defines the minimal set.

    The maximal set adds 6 more board for me, but 4 of them are just a compute cluster for parallel processing development… Hardly what most folks would ever need.

    Per “Hushmail”:

    There’s a problem with all external providers. You must trust them.
    There’s a problem with all internal DIY email. You must do it right.

    Choosing between those is always a PITA and always subject to making a mistake… either way.

    Per “original only on server”:

    Yeah, with you on that. I typically have a copy on my private side desktop, in the file server, and usually on some “removable media” that is typically off-line. (Something about lightning hitting a site and wiping out everything plugged in that makes me fond of off-line and off-site archives for really important stuff. A small safe deposit box holds a lot of TB USB drives…

    @D.J. Hawkins:

    While I’ve not done it, I think you could just set up a Web Proxy Server that takes in port 80 and spits it out on 8080 (or whichever is open). Might be easier and certainly more fun that fighting a provider… This is probably overkill, but the article covers a more complicated case while given an idea what I’m talking about:

    https://raspberrypi.stackexchange.com/questions/9527/routing-http-traffic-to-different-http-adresses-depending-on-request-url

    Of course, if they have closed 8080 and 8008 as well, then you likely need to talk to them anyway.

    @P.G.:

    I’ve been contemplating a DIY VPN too long now. I think it’s time I made that Round Tuit and got busy ;-)

    I’m planning on a ‘roll your own’ cloud based server as an experiment and a Pi solution (but that requires I open a port on the AT&T router… which in theory I can do. Read their pages on it… done in a kind of dumb way, but I think I can get it right.)

    As VPN is one of those key privacy tools, it does look like the best “next up”. Once comfortable with it, you can both “change your point of origin” to the internet AND you can set up “time of use” VPN connects “site to site” for places where the communication must be private (i.e. businesses do this all the time for proprietary private networks) but the fact of the contact is not a concern. So if you regularly talk with your brother, everyone knows that already, setting up a point-to-point VPN and shoving entirely private your-server-only email to each other is about as secure and private as it gets.

    I’ve done lots of VPNs site-to-site but generally using CISCO routers. I’ve done lots of VPN “remote laptop” to “corporate network” set ups, but generally using Microsoft laptops and CISCO routers / comms gear. Guess it is time I got my feet wet the Linux / Pi VPNs ;-)

  9. E.M.Smith says:

    Oh, and probably ought to mention media servers and TV and my “outside” workstation.

    I use either the Mac on a Chip (dead system SSD so runs from a chip in USB port) or my Android Tablet for “roaming” and Starbucks as ISP uses. They have nothing on them I care about, so “whatever” is more or less OK. I’m happy to reset as needed. The tablet is old enough some Apps are not supporting it (like Alex Jones was a no-go and I so wanted to add to his Google App download statistics ;-) So likely in another year or so I’ll get to explore how to put a Linux on it, too. It has been done by others (part of my decision to buy it about 6? years back…)

    For a while I played with a “Dongle Pi” as a proxy-me at Starbucks. That way the HP Laptop was isolated from exposure. Then the HP laptop fan died and I’ve not bothered to fix it (yet?).

    https://chiefio.wordpress.com/2013/05/12/dongle-pi/

    So for roaming functions, ether a disposable machine or another Pi as proxy.

    I also have chosen to use Roku for the Media Server / TV box. I’ve not seen any security or real privacy issues with them (other than the usual “we know what you are watching” that’s hard to avoid). I’ve not had great success setting up the R.Pi as a media server, but other folks have. (Mostly I think that was my HDMI to DMI adapter… now that I have a real HDMI TV, I ought to test it again, someday, maybe ;-) IF I really cared about what was known of my TV consumption, I’d likely look more into Pi as Roku like device.

    Similarly, I’ve got a Chrome Box I bought some 3? 4? years ago as an emergency measure (when the HP Laptop fan died and I was “on the road”) that got me basic web services and email; but now is unloved. (Something about the Google “All your data are belong to us” internet based services just puts me off…). It is acting as a “web browser for the TV” and YouTube station. Basic media station thing (but with saving links and better searching than the Roku YouTube AND it does video sites other than YouTube where the ROKU has no app-for-that…) It would likely be better as some kind of Linux SBC / Pi. In theory I can install Linux on it, but just have not felt the need. It is off 90% of the time anyway, sits behind a firewall, and only does YouTubes and some limited “safe” browsing. Whenever it becomes unsupported I’ll try the Linux thing on it. Until then, it’s just “use it ’cause I have it”. But it could be seen as another use case / Pi needed. Maybe. IMHO the Pi M3 is marginal for Video and doesn’t do High Def well, where the Chromebox with an Intel processor is fast and smooth. Maybe when the Pi 4 comes out ;-) (Or my Odroid….)

  10. ossqss says:

    Port 80 is the typical port for internet connectivity IIRC. Is this outaide of the USA?

  11. ossqss says:

    Dang mobile keyboard….. outside not outaide!

    I had to port forward my CCTV system to port 84 to get it to work. FWIW

  12. Steve C says:

    @E.M. – That sounds pretty feasible, then. I shall follow with interest – I don’t mind having multiple boxes if it makes the system more usable, although if a single Pi can handle most of the security stuff that sounds a perfect box for *anyone* to install immediately this side of the ISP box, before *anything* else. It would be nice to switch the ISP’s WiFi off, for a start.

    BTW, what’s the HDMI connector on a Pi? – I picked up a clearance-price HDMI-VGA converter during the death of Maplin, which has a Type C plug, so I’m hoping it will finally make me Pi compatible. If not, dammit, yet another adapter!

    A thought. Given that optical discs are pretty reliable, is it feasible to keep an internal mirror of the most mission-critical areas of your site on an installed CD/DVD, with a daemon keeping an eye on things and immediately overwriting any unauthorised changes as they occur? A sort of real-time “Deep Freeze” protection, at the same time not asking the optical drives to service calls at (literally) “full thrash”. Excuse me if it’s an Everybody does that anyway, eejit!” call, but I don’t recall ever seeing a rather obvious notion discussed.

  13. E.M.Smith says:

    The IDS / IPS functions include a “change control” process that watches selected files for data or metadata changes and hollers about it / recovers it.

    I’ve used optical disks for deep archive before. We had an optical robot at Apple. It has more logistical issues than just using regular tape / disk. A regular USB disk mounted “read only” on one system then exported as read-only via NFS to the exposed box is pretty bullet proof. The IDS / IPS then watches for changes between the archive copy and the live one and reacts. Unless the intruder breaches to root on the inner file server box UNDETECTED and figures out to do a remount UNDETECTED and … basically a lot of stuff has to go right for them in a very hard to do situation…

    I’ve had more optical disk read / writer drives die than anything else. The LEDs are not long life.

    Then the tech seems to mutate about every 5 ish years. Then there’s the 20 variations of “standards” and… So I have a large stack (few spindles worth about 6 inches each) of saved data on optical media (mix of CD / DVD of a few standards) and NO working optical reader at the moment as ALL my CD / DVD drives “aged out” and stopped working. I think I’ve got an old working one on an archived out of date computer, but not felt willing to go through the whole boot up and fix os and all process to find out.

    I basically settled on USB magnetic disk drives either powered off an unplugged or mounted Read Only on a file server as my preferred solution. Also compare the size of a 4 TB USB disk to 4 TB of CD or DVD disks…

    Per Pi HDMI:

    Don’t know, hit the Pi site for specs. I just plug it into my TV and it works ;-) The one with an adapter works for the video, but the audio is flaky. Don’t know if it is a Pi Audio thing or an HDMI adapter thing, but think it is the adapter. As my new 1080 p High Def 20 inch TV cost me all of something like $80 with tax and gives me TV in the office too, it’s my preferred solution to the “old monitor” problem…

  14. E.M.Smith says:

    @OssQss:

    Yes, port 80 is the standard. So is port 8008 and port 8080. In addition you can use any port you like with some effort…

    i think there may be some push to put HTTPS on the higher port numbers but I’ve forgotten the details. The link above to the port wiki says 443 is HTTPS then there’s a bunch of other HTTPS special purpose ports.

  15. Pingback: F2F – Friend To Friend Networking | Musings from the Chiefio

  16. Sam Sabboot says:

    How secure would something like the Blackberry Key 2 be, considering it has advanced (for a cell phone) security features.. yet relies on an Android OS?

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.