Category Archives: security

Use Android? You’re Probably Giving Google All Your Wifi Passwords

Go to your home screen, press the Menu button, select “Settings”, under “Personal” select “Backup and reset”. Is the “Back up my data” checkbox checked? If so, all of the wifi passwords that your phone remembers are being synced to your Google account.

Backup and restore settings

And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Continue reading

sudo apt-get install torbrowser

TL;DR: I wrote a piece of software called Tor Browser Launcher that downloads and auto-updates Tor Browser Bundle for you, in your language and for your architecture, and verifies signatures. I’d like help finding bugs before the initial release.

Over the years, Tor Project has done an amazing job at making Tor more user-friendly. In the past if you wanted anonymity you had to download and install Tor, maybe hand-edit your torrc file, and configure your browser to use a proxy server. You had to make sure that you didn’t have browser plugins like Flash or Java enabled that would compromise your anonymity. Eventually, this got easier when you could install the TorButton Firefox add-on, but even then you had to keep manually separate your own identity and your anonymous browsing.

Now all you have to do is head to, click the large “Download Tor” button, and then download the Tor Browser Bundle (TBB). Then you extract it (normally to somewhere in your home directory, or to a USB stick) and run start-tor-browser, and wait to connect to the Tor network and for your anonymous browser to pop up with the friendly green “Congratulations. Your browser is configured to use Tor.” page.

Continue reading

Using Gajim Instead of Pidgin for More Secure OTR Chat

I’ve been using Pidgin as my chat client for many years. The one feature of Pidgin that I care about more than any other is that it supports Off-the-Record (OTR).

If you don’t know about OTR, it’s awesome. It lets you have end-to-end encrypted chat sessions with people so that only you and the person you’re chatting with can read the chat messages and all other parties—such as your chat server (often Google), your ISP, or anyone else eavesdropping on your—cannot. It also has cool features like forward secrecy that other cryptosystems like PGP don’t have. If you’ve ever been to a CryptoParty, setting up Pidgin and OTR and learning how to verify keys is always on the schedule.

Continue reading

Beefing Up Security on Your SSH Server

Lately I’ve been thinking about setting up a blog to talk about tech things I find interesting, particularly web security, since that’s how I spend a lot of my work and free time. Since I had an under-used VPS sitting around, I figured I ought to set up WordPress on it and start blogging. What better topic to blog about than how I’m securely setting up this website?

I’m going to start by talking about how to harden SSH. In later posts I’ll talk about how I set up Apache, install an SSL certificate and configure it for maximum security, and some WordPress security tricks. I’m using Debian, but it shouldn’t be hard to adapt this to any Linux distro. I’m assuming you have root access to your server.

Continue reading