Encrypting Your Life :: Mac OSX
So with more and more of your personal identity finding itself on the web, it is increasingly important to to mind your presence online. It is also important to assure that if your systems are physically compromised that there is little to no chance that your personal identity isn’t in crisis. Especially with Google (I know, I know “don’t be evil”) taking over the web application industry.
Princeton has a good writeup about OSx’s default securities and the overall mindset that people need to have in today’s internet age. Since most operating systems don’t have a record like OpenBSD there are some additional things one might want to do to protect themselves from whoever they feel they might have to.
Tor
First and foremost is Tor. Tor is best described by the tor website:
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
Installing the Torbutton extension for Firefox. And using a Proxy for Safari will get you up and running.
You may also choose to become a Tor server if you have some bandwidth to spare.
Once you have a Tor proxy setup it’s time to work on your email. First off, since google has opened up their email client more and more people will be on the google server. This is great for google’s bottom line, but bad for it’s security. More and more hackers will be targeting google to get your email messages. Using the Gmail Encryption greasemonkey script you are able to get decent encryption built “into” the gmail client. I say “into” because what greasmonkey does is change some DHTML code to execute the gmail encryption javascript.
What I feel would be a more secure and more compatible to more people is to use the GnuPG program and configuring Thunderbird to use Enigmail. Especially since google allows 3rd party software to access their pop3 servers.
In addition. When you create your GnuPG key make sure you put it on a PGP Key Server.
If you are like me and love using IMAP for all of your mail accounts ssh tunneling might be right for you. You cannot trust every access point you are on and therefore you should encrypt all of your traffic. There is a good O’Reilly article and getting it set up in OSx is a breeze. Using projects such as AlmostVPN will help you manage your ssh connects and tunnels. Looks like a great little program.
Instant Messaging
Linux users already know about Gaim and Gaim-encryption which works very well with other gaim-encryption users. Adium also has a built in encryption scheme bassed off of Off-the-Record Messaging. Off-the-Record has native support in many popular clients, including gaim, along with proxy support for other clients that do not support OTR “out of the box”.
VoIP Phones
Another important internet related technology that is getting popular is VoIP. What people don’t realize is that these phone conversations are just as easy to pick up as plain text emails. And with the NSA and others wiretapping in, now is a great time for the Zfone Project to be introduced.
The zfone project is made by the same guy who invented PGP (Phil Zimmermann) and their website lists man reasons to use zfone instead of other VoIP competitors.
* Protects against man-in-the-middle attack without reliance on any PKI or certificate authority
* Key management doesn’t depend on, or even care, what signaling protocol is used — SIP, H.323, etc.
* Key negotiations are purely peer-to-peer through the media stream
* Interoperates with any SIP/RTP phone, autodetects if encryption is supported by other endpoint
* Available as a “plugin” for existing soft VoIP clients, effectively converting them into secure phones
* Available as an SDK for developers to integrate into their VoIP applications
* Submitted to IETF as a proposal for a public standard, and source code is published
What was my password again?
With your now countless passwords how are you going to remember them all? Well the first is a little program I wrote to create a password hash. After running this little python program you are left with a printable table that can transform an easy to remember password.
TweedleDee:~/Desktop lcde$ python passwdgen3.py
Enter specific seed or None: Seed PasswordDoes your password allow special chars (! @ # $ % & ? .): n
Using 58 characters for creation of password matrix.
a: uI n: j8y 1: 2tw
b: BvV o: UI 2: uiH
c: Xe9 p: uk6 3: xBg
d: Wz q: Mt 4: jmK
e: yuJ r: wT 5: eKV
f: gC s: L2 6: uQS
g: 5yV t: Cn 7: Je
h: 35 u: 4E 8: ze
i: dc v: HJA 9: VJs
j: wQ w: HZ 0: PNR
k: uaP x: th
l: 4Gi y: kSS
m: LpF z: K5k
As you can see this program uses a specific seed password to regenerate your hash table. Just in case you lose it. Passwords like hello become much harder to guess (35yuJ4Gi4GiUI). An additional random process of deciding two or three transformation characters to make character frequency guessing harder.
The last little trick is a cross platform password manager: Password Gorilla. Creating a blowfish encrypted password file you then can store all of your passwords. With just a simple double click they are copied to your clipboard and ready to paste into the login prompt. After a default time of 5 minutes the database is automatically locked up and your passwords are safe. I keep this password manager in my usb key and take it everywhere I go.
File system
This post has gotten quite long winded but I really wanted to get this down so later I can look back. There is one more thing I wanted to talk about: File Encryption.
As any progressive Operating System should have you can create encrypted disk images. Or using your PGP key you can configure gnugp to encrypt your files.
Additionally you can add different FUSE compliant file systems to your Mac using the MACFuse program. Thank god for google summer of code.
MacFUSE is a very interesting program that has many many uses. I suggest checking out their video doc
UPDATE:
I found a great article about encrypting your backup tar files using openssl, gpg or amanda. The OpenSSL commandline looks great.
tar cvf - / | \
#openssl enc -aes-256-cbc -salt -pass file:/root/.backup_key >/dev/rmt0
To decrypt with OpenSSL, use the -d option:
#openssl enc -d -aes-256-cbc -pass file:/root/.backup_key
tar xvf -
Where /root/.backup_key is a file with your password stored only readable by root. If you aren’t worried about someone running the `ps -X` command and seeing your password a simple -pass pass:
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply