Encrypt all the things!

Posted on
Page
of 139
  • I'm reading the open source everything manifesto https://www.amazon.com/Open-Source-Everything-Manifesto-Transparency-Truth/dp/1583944435
    Transformative ideas. Wondering how these ideas work with a totally encrypted world...

  • GDPR... how many organisations are going to be in breach of this in 2018? My guess is 'most'.

    https://blog.varonis.com/eu-gdpr-spotlight-pseudonymization-as-an-alternative-to-encryption/

  • Not us :)

    Though I can speak of the joys of mapping identifiers back and forth endlessly.

    The first layer is external id to internal id... but then you realise that internal services class other services as external and start to realise there's a delicate chain of id swapping (and auditing and enforcement) that is pervasive. It's also fragile, because if you try and circumvent the chain, the id you possess is meaningless.

  • Maybe outsourcing us to Russia is a good idea...

  • @Velocio what router did you replace your Asus 66 with?

  • what router did you replace your Asus 66 with?

    I replaced my whole home network.

    My Virgin Media modem is operating in modem mode... and that connects directly to an Ubiquiti EdgeRouter:

    https://www.ubnt.com/edgemax/edgerouter-poe/

    I have the 5-port one but you really only need the ERLite-3 as you'll only have 1 inbound cable (from the actual WAN connection) and 1 outbound cable (to your local switch)... if you wanted to use the 3rd port it would be for setting up an entirely different network such as a DMZ that cannot see your local network... which could be good for things like consoles, smart TVs, etc.

    The EdgeRouter maintains the firewall, NAT, DNS, DHCP, etc.

    Then the EdgeRouter is connected to my switch which is the ToughSwitch:

    https://www.ubnt.com/accessories/toughswitch/

    I run the TS-8-Pro. The switch is entirely on the same DHCP IP range (from the EdgeRouter) and this means that everything on the network is the same address range. This is pretty cool... because... I have attached my WiFi and my NAS and my computers all to this switch. The funky thing is that my Google ChromeCast (WiFi only) are visible to my cabled computers (with WiFi disabled) because they're on the same IP network.

    Attached to my ToughSwitch is the WiFi router, a Unifi AP AC Lite:

    https://www.ubnt.com/unifi/unifi-ap-ac-lite/

    This provides all of the WiFi in my place and is power over ethernet so a single discreet cable goes to this unit and it's not unattractive so it's fixed to the wall.

    It's not the cheapest setup, but it is incredibly rock solid. Since moving to this I have had unwavering gigabit speeds locally, unbelievably strong WiFi throughout the house (and I still get WiFi outside the building (I'm on the 19th floor remember)), it's very secure, it hasn't ever felt excessively hot, I've been able to put the units in small spaces.

    And I know stuff.

    Like I finally have been able to measure via the ToughSwitch how much traffic goes to/from my NAS typically, or how much bandwidth I actually send to/from the WAN (useful should I move to a place I can get http://aa.net.uk/ as they sell internet connections by bandwidth consumed, and now I'll know).

    Troubleshooting the network is a piece of piss as there's visibility of everything, though after setup I've not need to troubleshoot at all because it all works perfectly.

    Been running this for almost a year, I don't recall needing to reboot a box once, or having weak signal, questionable speed... nothing.

    It's just a different level of equipment.

  • On that note I have a similar setup. Virgin modem in modem mode, router, 2 switches and a unifi wif-fi point. Occasionally my wi-fi seems to play silly buggers. It's at the end of the system (it goes modem -> router -> first switch -> second switch -> wi-fi).

    Is there a way to see which component is causing the wi-fi problems? I'm currently restarting things one-by-one which is a bit of a faff.

  • If your switches are ToughSwitches then yes, use the reporting interfaces to view the traffic and other things.

    But typically, WiFi issues are best solved using a mobile app like Wifi Analyzer on Android... and just moving the WiFi channel frequencies to less populated parts of the spectrum. The vast majority of WiFi issues are simply "someone else transmitting on the same frequency", and won't be related to you having several switches in the setup. If other people have added WiFi in your vicinity since you installed the Unifi, this is likely the issue.

    On an upside though, most default channels are coded into BT boxes, etc... so if you pick a spare bit of frequency manually you'll always be in the clear and they'll always stomp over each other.

    I'm in a tower block... lots of WiFi above, below, to the sides... have no issues with my Unifi.

  • I don't have any smart devices. I do, I just don't plug any of them in so the local network is not in use, save for a NAS box and then I glazed over. Sorry, I seem to be firefighting network issues today which isn't my job but our software is running on someone's shitty network and they keep trying to blame AWS for it. Fucking networks, how do they work.

    I'll get back to you. Basically I was just going to make use of my VPN by using it for all traffic but you said the 66 ran hot so I figured I'd not break it and skip that step.

  • It ran hot, which isn't the end of the world... but if you're watching video then eventually it gets hot enough to slow itself down and start buffering video.

    For web stuff it's fine, for video stuff it wasn't.

    The EdgeRouter can be an OpenVPN client and works great, but doesn't typically work with most cheap VPNs. I used Streisand to set up my own on Digital Ocean and a fallback on Linode. It reduced my bandwidth to 10MB, but that was a solid 10MB encrypted which is ample for everything I do and for a bit of video too.

  • I'm not convinced the issue is with the wi-fi. It's connecting at full strength. I suspect it may be one of the switches but I don't know how to test that.

  • One word of warning.

    The EdgeRouter has a web UI but it's enterprise targetted... it isn't the simplest.

    The EdgeRouter has wizards for most things... which is great if you fit the scope of the wizard (just setting up the router is a piece of piss).

    Where it gets more difficult is setting things up like being an OpenVPN client:

    https://mediarealm.com.au/articles/2014/03/ubiquiti-edgemax-router-openvpn-client-setup/

    https://community.ubnt.com/t5/EdgeMAX/OpenVPN-Client-Setup-for-Private-Internet-Access/td-p/1154803

  • Not easily is the unfortunate answer, especially if the switches have no reporting interfaces. You would have to rather primitively test each hardware route through the switch, but the effort involved is such that I'd just get a better switch. Not helpful I know.

  • Dredge-

    Not sure what is available on android though imagine it is less restricted- Saw a post where someone had setup an activator task on their JB iPhone, depending on which finger they used to unlock it would do different things. One of his fingerprints would reboot the phone meaning that it would then call for a PIN to unlock thus avoiding the issue.

  • Smart move.

    But I won't do that at border control, it just looks obstructive. I'll continue to disable in advance of flying so that fingerprints do nothing.

  • Cheers, I do have a spare switch so I guess I'll have to start swapping things out.

  • What's the go with fingerprints vs. PIN?

    I use a PIN lock because I'm simple.

  • I posted this on another forum a few moments ago:

    Identity should never be a password.

    Identity cannot be changed if compromised.

    As a second form of authentication, it is fine, but as a single form alone, it is a bad idea.

    You need two of these always:

    • Something you know (i.e. password)
    • Something you have (i.e. yubikey or a token generator on your phone)
    • Something you are (i.e. fingerprint)

    But any single form is weak by itself, and the weakest single form of all is the something you are as, if compromised, it can never be changed.

    But for LFGSS, this extra bit...

    The convenience of a fingerprint (on iOS or Android) is great... but know how to disable it and do so before you deal with any state actor. In my scenario that means I won't pass through border controls with fingerprint enabled.

    Most states have the right to your identity... and this right is such that they also have the right to use your identity to unlock something, i.e. your phone. You can be compelled to give up your identity.

    Most states acknowledge that you have the right to private thoughts... and you cannot be compelled to share those, self-incrimination is protected, etc. Meaning a password isn't something you can be compelled to give up in a lot of cases.

    Fingerprints are interesting... because they can be faked from photographs amongst various other methods. The first part of this comment was in relation to a discussion about this article: https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands

  • I'm not adding 2FA to my phone unlock. It's too inconvenient.

  • What I meant is...

    Fingerprints are awesome, feel free to get that convenience.

    If you're travelling, disable fingerprints and go back to a PIN or lock pattern.

  • Ok, I use a PIN so I will stick with that. Don't trust lock patterns.

  • Anybody have any experience with SSHTunnel? I can't get it to work on any of my Android devices - although it had worked previously

    The remote server shows that I have an ssh connection, but the adnroid device doesn't appear to be forwarded

  • Nerramind - None of my apps were pointing to the tunnel - ProxyDroid fixed that.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Encrypt all the things!

Posted by Avatar for Velocio @Velocio

Actions