Why I fired Google

One of the many reasons I’ve been leaving Google for other services.

Searal - Parallel Search

One of the examples I am showing up here is that why I am using Searal now and fired google search from my browser –

I was looking for the solution for this query “JBAS014688: Wrong type for max-threads. Expected [EXPRESSION, INT] but was OBJECT

And check out what is google results –


And then I have searched on Searalwhich is saying that it provides relevant results quicker –


Searalis a simple idea, but I think it definitely provides better results and solve the purpose. Not even that before this I only see what google wants me to see. But now I can independently see different results from different search engines. And then I can choose to best from it. This is one of the proofs.

View original post

How to start a secure browser: Quark

Ran across this paper today about a pretty cool new browser, Quark:

Quark, a browser whose kernel has been implemented and verified in the Coq proof assistant. We give a specification of our kernel, show that the implementation satisfies the specification, and finally show that the specification implies several security properties, including tab non-interference, cookie integrity and confidentiality, and address bar integrity.

Let’s put this into more simple terms. Unlike standard programming practice with unit tests, which essentially test cases that the developer defines, these go one step further and prove that the base kernel of the system will do precisely what is specified and nothing else, if all of the assumptions are valid about the OS-base, etc.

This is to programming what mathematical proofs are to mathematics. A unit test suite is similar to doing scientific experiments and deducing your system matches the specs perfectly, a proof in programming is precisely the same as a proof in mathematics. It stops being a theory and starting being absolute fact.

This is pretty cool, especially since the code is all there to work with; proven (literally), and entirely open for review. Perhaps this will inspire some security types to do the same with cryptographic kernels.

Epic, a privacy browser with a fatal flaw

I ran across this new browser recently, Epic.

Why should I use Epic?

When you use the Epic Privacy Browser, you get privacy in a fast, simple browser! Have a fabulous browsing experience and gain privacy over what you browse and search. Protect your browsing and searches from hundreds of companies and governments.

Awesome, except for one thing – The software is closed source, and worse is supported by essentially a form of advertising.

Epic like most browsers earns a commission on searches we drive. So the more you use Epic’s default search engine, the more you support Epic and our continued privacy efforts

Combine this with the fact it is owned by a private company based out of the US (and thus subject to NSL and the like.)

Hidden Reflex is a privately-funded software start-up company based in the United States

Sadly, great idea, bad execution. If you want to have a higher assurance of privacy, you shouldn’t use this, use an open source browser with appropriate security related plugins – NoScript, RequestPolicy, Adblock edge (Not Adblock plus, which has been compromised). These are a good start, there are others out there that can help even more.

Sadly, if you are a company that wants to provide a believable amount of privacy, you must do at least the following:

  • Your company cannot be based out of the US (Lavabit had to shut down, likely to avoid being forced to put backdoors in it’s software). I am forced to assume that any organization based out of the US is (or can be) similarly compromised.
  • Your company needs to have it’s software open sourced. You can keep the copyright on the brand however. (Open Sourced software allows for more public review of the code.)
  • You company needs to not use servers in the US to store your code or installer and you should have a hash of your installer to assure it’s not been tampered with.

Without those 3 things, you can no longer claim your software has privacy in mind and be believed anymore.

Google, this doesn’t prove anything

You can paint over this, but it will still just rust through.

Google is trying to put on a good show of security theatre recently, and the media is almost falling for it (via WaPo)

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

I really want to say this means something, but it doesn’t. As we saw just a few days ago, the NSA is more than willing and able to put backdoors into everything. They could encrypt every bit of traffic between all of their servers, and it would be meaningless if they were forced to give away the root keys via a NSL, or had someone inside of Google who could place a “bug” or get the certificates themselves.

They almost recognize this, but miss the target by about a meter.

Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers.

No, it doesn’t make any difference with mass surveillance, none at all. If they don’t fight the NSLs directly and have a proven audited system to assure that there are no spooks inside planting bugs or giving out root keys, then they haven’t done anything more than security theatre.

This doesn’t change a thing, as long as Google is in the US and these NSLs get issues without any real oversight or transparency, then they could one-time pad everything between their servers and it would mean very little. The system is compromised, it is proven to be compromised.

If you have a rusty piece of metal, no amount of rust paint will top the rust. You need to get rid of the rust first. American businesses need to show that they are willing to actually defy these orders to prove to anyone that they are trustworthy again. Lavabit did, but they don’t have the resources of Microsoft, Google or Amazon.

Sucks, but it’s a fact. If you want secure transmissions and need confidentiality, you cannot use American services with any certainty anymore, even if they put on a big show.

Why does this not exist? The “most amazing” restaurants


TNG always discussed the possibility of holodecks. I don’t think we have this tech at all yet, but what if instead of having a full holodeck, we can have a room which whisks you away to another world. What if we can enjoy our most amazing french dinner while feeling like we are sitting in Paris? Or perhaps enjoy a delicious jamaican meal – complete with fantastic rum – feeling like sitting right next to the beach, complete with sounds and smells?

So real it scares you.

Watch the following. It’s really mean, but it makes a good point.

It’s a screen, so realistic that the most absurd visuals on it, combined with good sound effects and some other special effects, convince people the city is really being destroyed.

Now, this is a mean-spirited prank, and the screen isn’t cheap. What if we took this idea and went with it a bit further.

Let’s expand this a bit.

Obviously we can imitate a single window effectively, LG just proved that. Probably with little work we could do an entire wall, possibly all walls in a room. We have had ultra realistic sound for pretty much a few decades now. We can easily do scents to match a specific video. Combine these elements and you have a room where you can be whisked away to anywhere in the world pretty realistically, for example, Paris, complete with sound and smell.

Mmmm, you can really smell the urine.

However, this would not be cheap, my estimates would be that it wouldn’t be that much more expensive than a fully decked out VIP section in a expensive restaurant or club. Now, people spend tons of money in a club or restaurant, and the more unique the experience the more people will shell out. So, why not put two and two together.

In the words of Gordon Ramsay.

Why not have a restaurant or club where you can rent the “holodeck” room. Where you experience is not just the food and drink, but travelling the world. Enjoying the food in the atmosphere it was meant to be enjoyed in. It would be the “most amazing” experience ever to enjoy with your food. Every aspect of it would be controlled; temperature, scents, sights, sounds.

You wouldn’t be able to walk past the walls, mind you, but who goes for a walk around when they are eating food anyways. The atmosphere would just be designed to amplify the enjoyment of the meal. The chef would not only be able to determine what you eat, but precisely what environment is around you to enjoy it in. Suddenly, the restaurant experience becomes complete and fully adaptable to the chef’s whims.

Why does this not exist?

“No one would pay for it!”

People are already paying a fortune for dinner experiences like the following:

I just hope it doesn’t rain.

Why would they not pay for the experience of enjoying something like that in a perfectly controlled environment? The investment isn’t anything more than the investment in these luxury clubs and restaurants, especially since you don’t need to put it on top of a building or in a very expensive location. You could build room after room, each one giving a tailored experience to your guests.

Techies are not chefs. (or chefs are not techies)

To put this politely, you are full of brown stuff if you actually believe this. Google Molecular Gastronomy and then we can chat.


This is risky, but starting a high-end restaurant is risky. If you aren’t willing to try something new that makes you stand out, you probably shouldn’t invest in one in the first place. If you can pull this off, combined with good food, you will easily book every room for every day.


This is just a neat idea, I realized it was possible when I saw OLEDs and 3d video without glasses at CES a couple of years back. Still kinda amazed no one is trying it out. Maybe we will see one soon.

Windows 8 is not secure.

From Business Insider:

According to leaked internal documents from the German Federal Office for Information Security (BSI) that Die Zeit obtained, IT experts figured out that Windows 8, the touch-screen enabled, super-duper, but sales-challenged Microsoft operating system is outright dangerous for data security.

It allows Microsoft to control the computer remotely through a built-in backdoor. Keys to that backdoor are likely accessible to the NSA – and in an unintended ironic twist, perhaps even to the Chinese.

I originally really wanted to upgrade to Windows 8 because it looks sexy, but at this point I’m actually starting to plan a move to Linux. Most of the tools I use are now available on Linux (or function properly in WINE).

If you are a law office, or need to obey PIPEDA or other privacy laws or similar, Windows 8 is pretty much unusable by you. If there is a known backdoor in the system, it can be used by other individuals and since you are aware, you are knowingly breaking any confidentiality agreements you have with your clients.

In context, Panda Rose is pretty much forbidden to use any American servers for some of our government contracts because the data is considered confidential and the Canadian (and Ontario) governments do not believe that the data can be kept private on an American server.

Enhanced by Zemanta

Hardening your SSH server (opensshd_config)

I don’t think this really adds anything to the security, but it looks cool.

With all of the NSA spying and privacy items out there, I thought I’d write a quick post on easy ways to lock down your SSH server for people who may want to make some tweaks to their sshd_config on their Ubuntu (or other Linux) installations. This article specifically covers opensshd_config settings. PAM settings and other SSH related settings will come later.

I have a series of bash scripts that generate these settings automatically. If you are interested, let me know and I will send you them. Note: everything in <<Code>> format references a line in your /etc/ssh/sshd_config. If you don’t see the line (or similar) anywhere, then you may need to add the line.

Some of the items below prevent information leakage, a determined adversary will be able to get around them, but it will prevent script kiddies and scanning attacks, easing the load on your server.

Port Settings

If possible, you should not use port 22 as the SSH port.

Port 22

Instead you should choose another unused port randomly and set that as the SSH port. For example:

Port 6920

There are many circumstances, however, where a client’s IT will not permit a non-SSH port to be open on their firewall. In these circumstances, leave the port as port 22. This is not a high security change. This change avoids automated SSH attacks and allows the server to have a lower profile if the ports are scanned.

IP Listen Address


Try to avoid having ListenAddress set to (All IPs). If there are multiple IPs available to the machine, a specific IP should be used for SSH and no other services. This will allow for easier auditing, as well as more difficult matching up specific websites to specific SSH servers.

This also allows you to set up very specific rules on the firewall for this machine. As well, it ensures that you know precisely where the SSH is open. If you are only to have it open on the internal network, this will naturally restrict it to that.

Protocol Version

Protocol 2

SSH protocol version 1 (SSH-1) has known man-in-the-middle attacks problems and myriad security vulnerabilities. SSH-1 is formally obsolete and should be avoided at all cost.

Privilege Separation

UsePrivilegeSeparation yes

UsePrivilegeSeparatation sets up a child process to deal with any incoming traffic. Only after the user successfully authenticates will it give them the privilege of the authenticated user. This is so that if any of the incoming traffic corrupts the process, there will be no privilege escalation.

While this is usually by default “yes”, it should be listed as a line item in sshd_config to ensure that it is on.


SyslogFacility AUTH
LogLevel INFO

Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes.

Allowed settings for LogLevel at Panda Rose are ERROR, INFO, VERBOSE. In general, LogLevel should be INFO if diskspace is not a concern, however it should not go to DEBUG levels as that will violate the privacy of users. If disk space is a concern, LogLevel should be at ERROR and it should be gzipped and stored on a regular basis for auditing purposes.. VERBOSE should be used for debugging purposes if necessary. However, it should not be on as the default LogLevel as the data it produces is far more difficult to audit than either ERROR or INFO.


LoginGraceTime 120

This is the time allowed for a non-authenticated user to stay connected to the system. Commonly 120 seconds is the default. You can set this lower to avoid this being a DDOS vector, however 120 seems to work well for most circumstances.

PermitRootLogin no

There is no circumstance that this value should be anything other than no.

StrictModes yes

StrictModes specifies whether sshd checks to ensure a user did not make their .ssh directory and files writable by anyone other than its rightful owner. If the permissions are wrong, then the user cannot log in. As a security tool this prevents a hostile user or a hacked account from gaining access to other user accounts (and possibly administrative access) to the server.

PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Public Key Authentication is recommended for general use. This functionality allows users to create password-protected public/private keypairs using a facility like Puttygen or ssh-keygen and then connect securely using said private/public key pairing. Instructions for how to properly create one of these keys is explained in a later article on client security procedures.

IgnoreRhosts yes

This prevents issues around HostbasedAuthentication. While not likely a big issue, it should be set to ignore them.

HostbasedAuthentication no

In circumstances where the server is an independent, secure server, HostBasedAuthentication should be set to no.  When there are multiple servers that are not all necessarily secure servers, and a need to have a centralized server handing HostbasedAuthentication, this can be set up. This will be discussed in further detail in a later article.

PermitEmptyPasswords no

This one is just simple common sense one. No one should be able to login if they don’t have a password.

ChallengeResponseAuthentication yes
UsePAM yes

This is related to the PAM based authentication set up for root users to be explained in another article. This allows Google Authenticator or another token-based or biometric-based authentication system to be implemented to improve security security for administrative users.

UsePAM allows us to set up PAM to use these extra methods of authentication for logging in administrative users.

KerberosAuthentication no
GSSAPIAuthentication no

For the purposes of most installations, neither Kerberos nor GSSAPI-based systems will be used.


X11Forwarding no

Unless absolutely needed, X11 shouldn’t be running on a Linux server open to the web. X11 Forwarding should be off. In circumstances where X11 Forwarding is on, treat the server as a secure Linux client and not a server.

GatewayPorts no

In most cases individuals won’t be using your server as a gateway to other machines. Set GatewayPorts to no to ensure that any port forwarding is limited to the local machine. If this needs to be set to yes, make a note of it in that server’s details document for future audits.

Information Leakage

PrintMotd no

While a message of the day seems useful, in many circumstances it gives away information to end users who may not be administrators that they should not be aware of. This setting is by default on for many Ubuntu installs, it should be turned off.

PrintLastLog yes

This will print the IP, date and time of the last user login for that user. This is useful information as it can give a user a hint if someone were to gain access to their account. Leave this one on.

Prevent zombies

TCPKeepAlive yes

To avoid infinitely hanging sessions, this should be left on. This will send TCP keepalive messages to determine if the client has gone down. If the client goes down or the connection is interrupted, it will be noticed and the server will end the session. To avoid consuming server resources with “ghost” users, this should be left on.

Some users may complain since it implies if the route goes down temporarily, the connection will die. In these circumstances, determine if their needs require this to be turned off. Turning this off has no security implications.

Legal banner

Banner /etc/issue.net

This will display a banner before a user logs into the server. For clients who have their own legal team, a proper banner should be requested from them for their servers. Panda Rose’s standard banner is as follows:

 You are accessing a Panda Rose Consulting Studios (PRCS) managed 
Information System (mIS) that is provided for authorized use only.
 By using this mIS (which includes any device attached to this mIS), 
you consent to the following conditions:
 * PRCS routinely intercepts and monitors communications on this mIS.
 * At any time, PRCS may inspect and seize data stored on this mIS.
 * Communications using or data stored on this mIS are not private. 
They are subject to routine monitoring, interception and search. 
They may be disclosed or used for any PRCS authorized purpose.
 * This mIS includes security measures (e.g., authentication and 
access controls) to protect PRCS and our clients' interests -- 
not for your personal benefit or privacy.

Your IP has been logged.

Contact your lawyers, or make an adjusted version to fit your needs.


Ciphers blowfish-cbc,aes256-cbc,aes256-ctr
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1

Restrict Ciphers and MACs to the best secure ciphers. While not a real issue, this shows attention to detail. HMAC-SHA1 is required since PuTTY does not support the other algorithms yet.

Restrict Users

AllowUsers name1,name2

It is a good practice practice to limit the SSH to only users who should have access to it, this is done with an AllowUsers line at the end of the sshd_config listing the users who can log in with SSH.

Final thoughts

The above are suggestions, and over time may change to fit the needs. At the end of the day, these settings are just a small piece of ensuring your server is secure. Most of the determined attacks on your server will be based on zero-day vulnerabilities or other security holes, many of which are not even related to SSH. Ensure your server is up to date regularly, and always audit your logs to detect break-ins. You can use a tool like logcheck or logwatch to aide you in this process.

This article is crossposted at Panda Rose’s blog

Why does this not exist? Real e-books.

This is the first article of what I hope to be a series of discussions on products that seem to have all the pieces in existence, but for some reason no organization with enough capital has invested in it. This doesn’t mean there aren’t technical challenges in implementing it, but rather I know of no company doing it, even though the tech exists.

I want an e-book, not an e-page

Today’s topic is real e-books, not the tablet style Kindle or Nook which are essentially glorified screens with the ability to read more than one article. Rather, a book with real pages that you can turn and update to have any content you want. While I like the fact we at least have the ability to read books digitally in a nice fashion, I still think we are falling short of the real capabilities of e-ink and digital technology.

Cool, but not really an e-book, closer to an e-page.

To get the vision clear, please note that a book is not a single page. A single page is essentially a pamphlet or brochure. When I read a book, there is the physical enjoyment of turning the pages of the book, but even more so, the ability to position physically different parts of the book so I can flip back and forth to compare and contrast what I’m reading.

This is especially useful for text books. However, it is a real part of the book reading experience that is fundamentally lost with any of the existing e-book readers.

ooooh pages.

So, with that in mind, what am I envisioning? I’m envisioning a digital tool with multiple screens made up of e-ink, say 50 pages worth. With the front page I can load a book (or at least 100 pages of the book) into the reader and then I can start reading, flipping the pages myself rather than having to click on a next page/previous page set of buttons.

Pieces of the Puzzle

Bendable, think e-ink pages.

That looks like it’s bending to me.

This technology has been kicking around for over a decade now. At the last CES, Sony, LG, and a variety of other providers were showing not only that it bends, but that it’s a lot more durable than ever. I don’t think it’s impossible to make one that would last a while now.

Small Electronics

Small enough for you?

You don’t need a lot of power in a processor to generate a page that remains static on an e-ink screen. The arduino micro is an extreme example of how small you can get, but to be honest, the fact we can pack the equivalent to a computer I had 12 years ago into an iPhone demonstrates to me that this tech isn’t the hangup.

Small power source

Again, look at the kindle, it is lightweight and has a tiny battery with a good battery life. I don’t see how you could not resize this to fit into the binding of a book.

Why does this not exist?


This is the only hangup I can find. How can you manufacture these cheaply? My bet is that once you have a plan to sell enough of these, the price of the bendable e-ink screens drops. Similar to how the retina screens on the iPhones got cheaper suddenly once there was a demand for them. This is the biggest question mark in the “why does this not exist?” category. However, price, to me, always seems like something that is solvable given good quality industrial engineers.


Maybe I’m the only person who would love to have a digital book I can flip pages with.

Patents/Unknown tech restraints

I am unsure of the legal atmosphere around this technology. It could be that e-ink pages are patented by someone who wants too much money for the rights to use it.


I have been dreaming of making this for almost 10 years now, I just haven’t been able to build a functioning mock-up or prototype due to the fact I don’t know where to get e-ink screens that are bendable at a reasonable price. Arduinos and programming is easy, it’s the screens where I get stuck.

Hopefully someone out there is building this, because this would be a true e-book and replace my entire bookshelf with one, totally awesome, book.