Author: Ese Rubio

The Spark

--Originally published at TC2027 – Blog will Tear us Apart

First of all, sorry for taking so long on this post. Writing something personal has always been quite difficult for me, but actually that’s what this is about.

This past semester I enrolled in a course about digital security and privacy, a pretty different and unique course. I knew already who was teaching it, so I enrolled well informed of the teacher’s perspective to teaching: Flipped Classrooms.

My experiences with open and flipped classrooms are always fruitful, maybe my habits, personality and mentality fits this style. Being able to discover by my own (with proper guidance) and learn from things in a way that costed me not only reading and search skills, but also the skill to craft and find the right questions, it’s incomparable.

I know school is finite. My days soon will be over, and the skill I value the most is the one I learned from this kind of courses, being autodidact. Sure, the teacher is there, and hell, he was always, always, ALWAYS, watching. But the freedom was there too, we were told to select from a list of topics and investigate, discuss, ask on twitter, go into the darkest subreddits, and things of such. This allowed me to enjoy and focus on the process and experience of learning, rather than the topic itself.

Sure, I learned about the topic, and I learned a lot. But that depended on me and my own effort. I saw many classmates having trouble deciding what to do without a list of little weekly tasks, and they complained, quite a lot. But let me tell you guys something, the world will never give you a list of activities to do. In a job, they will give you a problem to solve, and your boss will expect you to solve

Continue reading "The Spark"

Requiem for a Disk

--Originally published at TC2027 – Blog will Tear us Apart

How to properly say farewell to your hardware.

Perhaps we might know how to properly use our data storage devices, we know how to keep them safe, encrypt and take care of their physical health. And thanks to that this devices outlive our expectations spans; and we found ourselves with the necessity of improving our setup.

Sure, you might just RAID your PC, but most of the time improving means replacing. Perhaps it’s time to change that old HDD and replace it with a new SSD, or perhaps your USB memory is no longer big enough. And we immediately embark ourselves into deciding, reviewing and Zero-Moment-Of-Truthing the available technology.

Then we procede to install the new, shiny and beautiful hardware into our systems et voilà, we procede to enjoy the pleasures of capitalism; naturally, we fulfill our consumerist  responsibilities by choosing the path of our late hardware.

I know, disposal is not your first option, don’t worry, neither mine. Perhaps use it as cold storage might be useful, or perhaps you can sell it, lend it, give it away, or mod it to work as an external drive.

Independently of how you decide the future of your device, you might want to format it. According to Wikipedia, formatting is:

Disk formatting is the process of preparing a data storage device such as a hard disk drive, solid-state drive, floppy disk or USB flash drive for initial use. In some cases, the formatting operation may also create one or more new file systems.

By creating a new file system it appears as if your data has been wiped out from the drive, you’re good to go and it becomes just one idle piece of metal. That’s what most of the formatting tools do. I don’t want to break

Continue reading "Requiem for a Disk"

Quick Tip: SUDO timeout

--Originally published at TC2027 – Blog will Tear us Apart

So, you’ve been playing with your Ubuntu distribution around, and suddenly you require sudo privileges in order to change or install a special feature. Thus, you enter your password and grant that privilege access to your computer.

I believe I don’t have to remind you that being logged as root is dangerous and you should only run commands and programs as root when you’re 100% sure of what you’re doing. In the default terminal, after you enter the password once, it allows you to run the next commands with the root privileges without password prompt.

On my Linux experience I have typed commands that weren’t mean to be on root access or finding someone (my hacker girlfriend) accessing my root folders without having to input any password.

After digging around I found a, surprisingly easy, way to modify the default sudo settings in order to change the timeout of the root access.

Let us access the configuration file.

 user@pc~$sudo visudo

This command is absolutely necessary in order to modify the file, even on the file it says so:

#This file MUST be edited with the 'visudo' command as root.

Don’t worry, the editor is not vim, it opens it with nano. Almost at the beginning of the file one can see preformed default variables, the one that matters to us is the following:

Defaults env_reset

This is where we can modify the value of timeout, notice that the variable is not even defined at the file. On the same line, we need to append the timeout variable with the following syntax:

timestamp_timeout=x

Now, instead of the x we can add any integer value. This value represent the time in seconds that the terminal will wait before asking for the password again.

If you want the computer to ask for the password

Continue reading "Quick Tip: SUDO timeout"

The not-so-confortable Interview

--Originally published at TC2027 – Blog will Tear us Apart

The first step on Rebooting a Digital Life is to understand the trouble. I’ve decided to treat this first step as an interview, here I ask some core questions to understand the situation.

For privacy reasons let’s call her P. Stratton, woman, 21.

What do you think about digital reputation?

People should be aware of their personal image and how they show themselves to the world. Usually people are not aware of  the impact of what you say or do online to your real life flesh and bones.

Your current persona is not constant nor available. Why?

Sometimes I see posting on social networks as a waste of time. So I try to focus more on my daily life tasks or agenda instead of being constantly into social media.

Why did you shut down some of your networks?

I thought that shutting down some of my networks would help me concentrate more into my important tasks. I started to get overwhelmed by having to update each of my social media.

Why do you consider your current digital persona a mess?

I had two stages in my social network persona: the one that didn’t take into account building an image and just posting whatever I find interesting and the one that was aware that the past social networks should be refurbished. My social media was time consuming so later on time I figured out that disappearing was a better option.

You told me you have cyber-stalking troubles; what happened?

While in Europe, someone I met in work and befriend him on Facebook started “blackmailing” me. At first, we started flirting with each other and started hanging around. Everything was fine until I noticed he was a violent and insecure person and a manipulator as well. I thought that getting away from

Continue reading "The not-so-confortable Interview"

Talk safely to me

--Originally published at TC2027 – Blog will Tear us Apart

One of the main uses of Internet nowadays is definitely communications. From chats in cellphone apps such as Whatsapp to E-Mails, Snapchat Videos and Tweets. Let me define it as “every singe interaction that can is meant to be read by another internet user“.

Now, obviously not every communication can be defined as the same, a Whatsapp message to your mom containing your current location contains sensitive information and should be delivered from one device to another in the most secret way possible. That’s different from your tweet about the new Britney Spears single, which will appear in a public page on the web.

But as we know, the internet is open in concept, so is any communication channel really secure?

Not by itself.

The internet is a public and open protocol, so your direction, as well every “package” of information you’re sending through it is completely public. Imagine you send a real life package from Canada to Mexico. The public address of both the sender and the destination are literally pasted over the box so anyone with access to the physical box can read both, and anyone with ulterior motives could open the box, see what is inside, steal it, document it or even change it and even plant a bomb.

giphy.gif
Some days you just cant get rid of a bomb.

And just like in the real world, in parallel universe of internet communications those labels are public and data can be read, stolen or changed. Which by the way destroys the three measurements for security, if you remember my last post.

So how can I keep my spicy pictures of those hot peppers I bought secure?

peper_02

Hmm, hot peppers. A true Mexican delight. Well, thankfully we nowadays have a crazy little thing called End to End Encryption. 

Selection_023
Continue reading "Talk safely to me"

Measure this.

--Originally published at TC2027 – Blog will Tear us Apart

After a much needed password therapy let’s take on the generals of what are we protecting. We may know some techniques, and we already know that we want to be safe, but how can we measure it?

giphy (2).gif
Measure like its hot

 

Luckily for us, there are already some guidelines to measure how a safe a system is. But before, just like Rick Lehtinen stated on his book, Computer Security Basics:

No man, or computer is an island.

Nowadays everything you have is connected, even just to properly work and be up to date so don’t start shouting out load that you’re a not a potential target, because you definitely are.

So in order to measure safeness, we can stick to the core C-I-A  three pillars concept, which states that in order to be safe, a system must guarantee:

  • Confidentiality
  • Integrity
  • Availability

Pretty straight forward, no? Lets tackle one by one. Again, I’m talking user/client-side, so don’t expect server-side practices.

Confidentiality

Here is where privacy is at play. As you may remember from my first post, security and privacy are not the same, and that security makes privacy possible.

And that’s precisely what confidentiality is all about, keeping what you want secret in secrecy and what you want public, public. You definitely want you bank accounts, passwords, chats, and perhaps some of yours spicy pictures secret (which you shouldn’t be sending to anyone, by the way); meanwhile you definitively want everyone to know your spoiler free (I wish) Game of Thrones death -rant tweets.

How can my confidentiality be compromised?

Easy, there are some really easy steps in which anyone interested, without even having to be a hacker can destroy your confidentiality, here are some possible breaches.

What’s the deal with passwords?

--Originally published at TC2027 – Blog will Tear us Apart.

Passwords, oh passwords. The keys to our everything, definitely a pain in the arse.

This is my approach on the defense/user side of passwords, if you’re interested on the attacking approach, read Miss F’s post.

I’m sure we’ve all heard hundreds of times how insecure our passwords are, every year or so, another security blog or company sends in their updated new rules and minimal security measures, but as today, there are some basic principles.

  • Never use your name, birth date, security number, house address or telephone numbers. Neither your past ones, or a family ones
  • Never use sequential numbers. 123456Seven sucks, (ping me if you got that reference)
  • Never use words like “password”, “admin”, “qwerty” as a password. Please.
  • Never repeat passwords. Really, that’s just dumb.
  • Keep them long. Try to use at least 12 characters.
  • Add capital letters and symbols.
  • Do not share them, lass.

I know it’s kinda complicated to remember every password ever, so here I gathered some password making techniques.

Prefix-Suffix method.

I used to give a middle school digital crash course, and normally I used this method of password making. I call it the prefix-suffix method, this method is great for memorizing complicated-ish passwords and becomes an easy way to never use the same password. It’s great for defending against brute force attacks, and might help a little with dictionary attacks. Here are the steps:

  1. Choose the name  TV show, movie, character, song; anything you really like, the obscurer the better. For example, the name of a semi-obscure Jedi master: Plo-Koon.
  2. Now grab that name and scramble it in a way you can easy remember, give it a little twist, add some l33t, you name it; just keep it easy to remember, here’s with our Jedi: P1O^Kunn (Notice that I even misspell it). This
    aint.gif
    Continue reading "What’s the deal with passwords?"

Riding into the Danger zone.

--Originally published at TC2027 – Blog will Tear us Apart.

Current tech-trends are leading us into more and more connectivity, “smart objects”, like the force, it surround us and bind us. Not only the obvious PC and phone, but your watch, TV, light bulbs, speakers and even your fridge is gathering information in order to provide you with a “better and more personalized” experience.

But are we joining a technology revolution which change our lives forever in a safe way? Who’s using our data? Where is it going? Should we worry about it? Are we heading blindfolded into a suicidal mission in a  Northrop F-5E fighter jet?

Well, depends.

Link to the matching song.

Security is overrated, privacy doesn’t exist-A close friend.

I love every time my friend lectures about how he is fine with “companies having my data in order to give me a better service.” His opinion, which is completely valid, lacks of some crucial information about how this game works.

First of all, security is not privacy. They are not the same thing, yes, they are tightly intertwined with each other, but that doesn’t make them one. According to dictionary.com their definitions are:

Privacy: freedom from damaging publicity, public scrutiny, secret surveillance, or unauthorized disclosure of one’s personal data or information, as by government, corporation, or individual.

Security: freedom from danger, risk, etc.; safety.

Long story short, privacy is the freedom or ability to choose what information about you is public. And security is the measurements to keep everything you don’t want to be public, as private as private Ryan.

Google has my information!

Yes they do, location, activities, daily routes and times, contacts, etc. They do have a lot of information, not only google, but every big company is tracking you. Facebook, Twitter, Amazon, Apple, etc.

Now, this is not inherently

Hfzf14T
black-guy-gif-star-trek
Continue reading "Riding into the Danger zone."

{Beginnings.exe}

--Originally published at TC2027 – Blog will Tear us Apart.

So, I’m starting this blog from scratch, fresh out of the [wordpress] oven. Initially, the purpose of this blog is to become an active participant of Ken Bauer‘s #TC2027 security course, be ready to read a lot about the topic.  Now, this blog wont be exclusive to the topic I’ll be talking about different topics, so don’t worry.

I’m was not quite sure to reveal my identity, but as i’m linking this to my personal twitter account, it was going to be just matter of time to lose that privilege.

I really don’t have much to say at this point, so relax, be patient with my writing skills and enjoy the ride.

P.D. My twitter interactions are most of the time in Spanish. Perdón.