Freemors Blog

Musings of an East Coast Techie

Good Bye HTTP

2023-02-22 by Freemor

Just a note that this site will soon be going HTTPS only. It actually has been for a while but we have maintained an HTTP -> HTTPS redirect.

We have recently added the site to the HSTS preload list. This means that all popular browsers will know that the site should only be accessed via HTTPS

If in the future you find that you can’t reach the site please double check that you are accessing it via HTTPS.

Hello SEO Spammers

2022-10-05 by Freemor

I’m writing this mostly tongue in cheek, post to make it plain to any SEO spammer that actually reads my site that I am one hundred percent, completely, truly uninterested in any services you may be offering.

And since I have written this post and it will be the top post on the front page of my site for a while I’ll assume any e-mail I get about help building a better site or with SEO optimization or whatever is total crap because you obviously didn’t even read the top post on the first page. And will promptly delete your e-mail and block your spam (Which I already do because: see above).

Just a note to people flogging their services in this way. Sending UCE makes you look completely unprofessional and very sketchy. Not a good look. Not a good way to build a customer base.

Mostly tho I just wanted a new top post.. it’s been a long time.

The Sheeplenet

2019-08-21 by Freemor

Today I am coining (as far as I am currently aware) a new term. "The Sheeplenet".

Sheeplenet: A term referring to Google, FaceBook, Amazon, Microsoft, Twitter    
            Instagram (still facebook), Snapchat, Youtube (still Google), Etc. 
            That most people are referring to when they use the term Internet.

To be clear, the Sheeplenet is not, nor has it ever been "The Internet". The Internet is the collection of interconnected autonomous networks that people use via their ISP to talk to those things.

I am coining the term mostly for personal use but mainly to disambiguate all those services from "The Internet". I'm all over the Internet. I use it every day. I'm just not on the Sheeplenet.

People are often confused when I tell them, "I'm not on service A", "No I'm not on service B or C eiither.". This confusion leads to questions like, "Aren't you on the Internet?". Which is of course technically very, very, incorrect. That is akin to asking someone, "Don't you drive?" just because they never go to your favourite mall or coffee shop.

I use the "Sheeple" part, Not disparagingly but rather to refer to the unconsidered way that the vast majority of people end up, not only on these services, but also thinking that they are the "Internet".

Because of this incorrect mindset (And it is a mindset that the companies in question work hard to foster in the people that spend time there) people stop wondering what other wonderful things the Internet can do. What else is out there? What strange and wonderful corners are there? How else can the fact that I, You, almost anyone, can talk to every other computer on the planet be put to amazing uses?

It is the loss of the understanding that a service that you can access via the Internet is not "The Internet". It is a misconception that hides the wonder, potential, and freedom of the Internet from those using said services. I can talk to almost anyone on the planet with the Internet without the need for any of the Sheeplenet. Doing so is trivially easy. It's not because I'm an uber techie, or have some special ability that others lack. The only special ability I have is seeing the open roads of the Internet as exactly that. Roads that take me where I want to go. Without having to use any service that is gonna steal my data, my privacy, and my individuality in the process.

So if you're looking for Freemor.. I'm, "out there, traveling the open highways of the Internet...." And I am definitely not alone out there. There are many other people traveling those roads instead of sitting in a Mall and thinking it is the totality of this thing called the Internet.

Come on out and join us. Feel the freedom of the digital highway as you explore the wonder that truely is "The Internet".

P.S.A Re: Sextortion E-Mail Scam

2018-10-14 by Freemor

This is just a quick posting to alert those that read my blog that sextortion spammers have changed tactics.

They still claim that they hacked your life but are now claiming to have done so by breaking into an email account. As proof they offer the fact that the "From:" header shows the e-mail as coming from your account.

The important thing to know is that the "From:" header is completely and trivially spoofable. Anyone can send an e-mail with anything they want in the From: line.

Do Not Fall For this.

Here is the raw (source version with all the headers shown) version of one of these spams that hit my mailbox.

From freemor@freemor.ca Sat Oct 13 06:05:01 2018
Return-Path: freemor@freemor.ca
X-Original-To: freemor@freemor.ca
Delivered-To: freemor@freemor.ca
Received: from 213-174-110.netrunf.cytanet.com.cy (213-174-110.netrunf.cytanet.com.cy [213.149.174.110])
by server (Postfix) with ESMTP id 4127571C
for freemor@freemor.ca; Sat, 13 Oct 2018 06:05:01 -0300 (ADT)
Message-ID: <5F7026344D09625F7026344D09625F70@PSFB91RPS>
From: freemor@freemor.ca
To: freemor@freemor.ca
Subject: freemor@freemor.ca was hacked
Date: 13 Oct 2018 13:34:07 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109
Status: RO

Hello freemor@

My nickname in darknet is sauveur16. I'll begin by saying that I hacked this mailbox (please look on 'from' in your header) more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you!

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited!

I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $500 is quite a fair price to destroy the dirt I created.

Send the above amount on my bitcoin wallet: 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it!

Since reading this letter you have 48 hours! After your reading this message, I'll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere! Good luck!

Even though both "From" lines say it came from me there are several important facts.

The "Received:" line clearly shows that it actually came from 213-174-110.netrunf.cytanet.com.cy which is not my mail server. It is a computer in the Republic of Cyprus, Most certainly not where my mail server lives. And from the looks of the domain name probably from someone's home.

So let me say it again. The "From:" line in an email means Nothing. It is Trivial to spoof. Anyone with even a tiny bit of knowledge can send e-mails that claim to be from you, or Plato, or the Easter bunny. This type of sextortion scam is just trying to scare you into paying for no reason.

What You Need to Know About efail

2018-06-15 by Freemor

I am writing this because there is a lot of hyperbole about efail

Are GPG/PGP and S/MIME broken?

No. efail is an attack on the mail client. Not on the cryptography. Although there is some mussing with the cryptographic elements That would be very apparent, signatures would fail, etc.

Are my Private Key Compromised, Does this lead to a compromise of the keys?

No. This tricks email reading programs into sending the clear text of the message once it is decrypted back to the attacker.

Is my email program affected?

Maybe. Not all are. There is an excellent chat on page 11 of The official report

Should I disable/stop using GPG or S/MIME?

That depends.

The real problem is HTML rendering in some email clients. Check the list Document mentioned above to see if yours is effected

Patches are coming on-line quickly so check that your E-mail client is up to date

If you are comfortable doing so turn off HTML rendering of E-mail. This will almost completely mitigate the issue. The researchers did not get a non-HTML rendered E-mail to be effected but they do suggest other more complicated things that MAY be able to do that.

Keep in mind that is a complicated Man-in-the-middle attack that requires the attacker to have access to your stored E-mails on the server or your computer or the ability to capture them in transit. This is not something generic hackers will be doing. It is something that Governments and places like the NSA will be interested in. If you are worried about them I'd strongly suggest making sure you are using a non-effected client and disabling HTML rendering.

But for the average person that isn't worried about nation states and spy agencies actively trying to get their stuff I'd say keep using GPG or S/MIME. Apply the patches as they become available. Turn Off HTML Rendering. or move to an unaffected client.

It's better to send encrypted and force people to work at decrypting it then just say fuck it and send everything in the clear and let them have it all with no effort.

The Bullet points

  • The attacker must have access to your E-mails either on the server or in transit
  • Not all email programs are effected
  • Patches are coming quickly
  • This is not a problem with the encryption. It a problem with the E-mail programs
  • Turning off HTML rendering almost completely neuters this attack (except for some theoretical attacks)
  • For the average person this is a low priority and easily mitigated attack.
  • Take the appropriate precautions like moving to a non-effected E-mail reader, patching, plus turning off HTML rendering and keep encrypting.

Why Open Source

2018-04-17 by Freemor

Ok, I'm going to attempt to explain why open source software is better then closed source. For the libre-software folks in the crowd I'll be addressing copyleft and the four freedoms in a following post.

I'm going to explain this using an analogy and what I hope is an apt one- that of a recipe. This is something everyone is familiar with and has probably worked with at one point or other.

Source code is a recipe for how to make a program. Depending on the language it is either "baked" (compiled) or "eaten as is" (interpreted).

Like a recipe the source code is just a list of things to use (resources) and instructions on how to use them (the program).

Just as many recipes need to be baked and one can't easily identify what went in to the recipe after baking, many modern programs are compiled and what comes out of the compiler looks way more like cake then eggs, flour, sugar, vanilla, etc. Therefore it is very hard to work on a program after it is compiled. Just imagine trying to add more oil to a cake that came out too dry after it's baked. It just won't end well.

Ok, now that we have the analogy established, imagine a world where recipes were all legally protected secrets. The only food you could buy was pre-cooked or ready-to-eat. Hate the flavour? Too bad. Want to add blueberries? Sorry can't do that, or at least not in a meaningful way. Ovens would be for heating alone just as most people's computers are just for using a browser.

Worse still, if you did figure out how to make a brownie, somehow found the ingredients and tools to use them and then, GASP! used your oven for cooking, you'd probably promptly get sued by the local big brownie concern for stealing their secrets. And because they are secrets you couldn't prove that you didn't or it would be very hard to.

In this world almost no one could help you with your brownies as only a select few know how to cook or what cooking even is, other then "That thing specially trained people do for big companies".

This is the world of closed source. This is the world of the late 80's and early 90's before the open-source movement. There were a few small pools of hobbyists keeping programming for fun alive but mostly all the recipes had disappeared or were very old and stale.

Now imagine a world where everyone publishes their recipes. And because of this the tools to use the recipes are readily available. If you didn't like Magoo's chocolate cake, you could download the recipe and fix it and bake your own. Now depending on the license that Magoo attached to the recipe you may or may not be able to tell anyone about how you fixed it, and may or may not be able to sell the better cake you made. This is where software freedom and copyleft comes in which I'll talk about in a later posting.

In this world there would be lots of people cooking, sharing ideas on how to cook, how to cook better, coming up with new and interesting things. Also people could look over Magoo's recipes and say "Too much salt in cake #3, it should be 1 teaspoon not 1 tablespoon". Also people could make sure Magoo's wasn't including rat poison, or making a frosting of raw eggs, sugar and lard that'd go off in a day and lead to people getting sick and dying, thus making everyone safe.

Just imagine if VW's emission control software had been open source. People would have looked at it and said "WTF! What are you doing?" Now I know some of you are saying "Ah, but they could publish a good recipe and then bake the bad one". True, but it'd still be a lot easier to catch them as you could bake the recipe they published and then compare it to the pre-baked version. In the VW example the pre-baked version would somehow, mysteriously have way better mileage. And because people know how to cook, they'd know there are only a couple of ingredients that could be fiddled with to achieve that result.

VW is not the only one hiding things in their closed source software. Most programs that you find in "App Stores" are closed source and many of them do their best to take your personal information, often without permission. These activities would be plainly visible if people could look at the source code, as would many vulnerabilities or things like back doors in the program.

This is where we are hopefully heading. Many programs are now open source; many are still secret. We will probably never get to a 100% open source world. But as people learn more about the open source movement, and realize that programming is just a learned skill like cooking, instead of seeing it as a magical "something" that only rare geniuses can do, there will be more and more pressure for companies to open their source code, or for software repositories like "App Stores" to include a way to also download the source code for a program.

What You Need to Know about Meltdown and Spectre

2018-01-04 by Freemor

I am writing this because there is a lot of hype, click bait and other stuff going on around Meltdown and Spectre. I want to put out the info in plain simple terms.

First and Foremost

Your computer is not broken or defective.

Intel DID NOT screw up.

The fact that Out-of-order Execution has been around since the '70s and in modern PCs since the mid '90s and the exploit is only now being found shows that this is a extremely clever, highly technical, exploit that builds on much more modern concepts like "CPU cache timing attacks for side channel leakage of information.".

There are software patches already on the way to mitigate the problem. The "performance hits" talked about are not well documented and as the mitigations improve any performance hit will be reduced.

Is it bad?

It is a serious issue. It is not the end of the world, or your computer, or the internet.

What is it?

Both techniques take advantage of a feature of many (not all) modern processors called Out-of-order execution. Which is a technique that most modern CPUs use to get things done more efficiently and faster.

It is NOT a technique to get code on your machine. It is a technique that code that has already gotten on your machine can use to access information that is usually protected.

Access to such information would let the code then bypass several other protections to gain more privileges or steal information from other processes.

What should I do

Breath. Relax. There is no evidence that these have been exploited in the wild yet. Patches/Fixes are coming online quickly.

Apply patches as they become available. Many people are working on ways to mitigate these problems.

What about all the noise.

Sadly this is the type of exploit that makes for great attention grabbing headlines and news coverage. But the facts are much more complex then the mainstream media want to cover. It is much easier to say "Every Intel Processor is effected but this bug." than "There is a highly technical side channel attack on processors that support Out-Of-Order Execution that leads to the leakage of privileged information. This would let them steal information or use information about the layout of system memory to use another advanced technique called Return Oriented Programming to gain full control of the system."

Divorcing My SmartPhone

2017-08-28 by Freemor

So, I came to the realization that I was in a broken relationship. One in which my attention was often demanded for petty reasons. A relationship where interacting with the other party failed to fill any deep or meaningful need despite a promise that it would be more fulfilling.

The other party was my smartphone. So it was time for a divorce.

Put in less whimsical terms I recently and increasingly realized I was spending far too much time on my device. I'd find myself reaching for it in any idle moment, as many do. And I never left such events feeling rewarded or fulfilled.

I think that part of what has cause this increased awareness is that in all my other computing I work in an almost completely text centric environment. Bowing to the need for the occasional use of a GUI based browser is about the only non-text interactions I have. But even with browsing most of what I do is done with a text only browser.

Also all my other computing devices are not always on/always connected devices.

This disparity between my normal computing devices and my smartphone I think really highlighted the differences. A growing frustration with the direction that Android is going is also in the mix. As many may know I De-Googled my life a while back and have been very happy for it. So my smartphone runs a Google free version of AOSP. With only apps from F-droid on it. So I'm heading in a more free (as in freedom) direction and every new version of Android that comes out does more and more to lock Android and to lock it to Google.

One of the first thing I noticed is that when working in a non-GUI environment I was more focused, more productive, and more task oriented. Where as on the phone everything felt muddled, unfocused and often meaningless.

I also do not like the treacherous nature of smartphones. As anyone who reads my blog will know privacy is a huge issue for me and smartphones simply leak far too much personal information.. So I had already been mulling what I would do when it was time to replace my current device. I did not want to get another smartphone.

So with all this going on and me recently building myself a small mobile computing device.. Much more of a MID then a smartphone and Linux based not Android based. I decided it was time to start saying good-bye to my smartphone.

Now there were some minor considerations that might have meant that I would have to keep the phone. At least for a while. But I wanted to minimize my use of it.

The first thing I did was transfer as much of the non-communication things I did on it over to my new MID (BTW also text centric), and even a few of the communication functions like Instant messaging.

That went well and I felt no real pain in doing so. Mostly what it did is give that overly attached part of me a mental safety net. "OK, phew, I still have all that, just on the other device"

The next step was turning off all non-critical notifications. If it wasn't something that absolutely required my immediate attention off went the notification. This step was amazingly successful. I quickly stopped looking at my phone all the time. Even the amount of checking it in the idle times dropped. I even started to lose the desire to keep it with me all the time.

After that came A big one. Pull every attention sucking, non-critical communication thing off the phone. All social media things gone from the phone. All games, gone. All those random interesting but ultimately time wasting apps, gone. Calendar, gone (have it on my MID now). Even the browser, Youtube player, etc.. gone.

This sounds rather radical but it was necessary if I was to say good-bye to my phone.. All that was left were things that deal directly with real time communications, and privacy enhancements. So basically phone, SMS (encrypted), GPS navigation, and contacts. Plus a few enhancements like firewall, ConnectBot and F-Driod.

And. I didn't go nuts.. In fact my routines changed in pleasant ways. I no longer reached for the phone as soon as I woke up. No reason to. It often lay forgotten until I was about to head out for the day. I still check my social media but it is a much more intentional type of interaction which happens on my laptop while having my morning coffee, and ends once I'm caught up. Same with e-mail.

After another purge further stripping the phone down to nothing but basic phone features, and turning off WiFi, which went far better then I thought it would. I was ready to take the plunge. I ordered a $70 feature phone to replace my smart phone.

The phone arrived quickly and despite myself and others being concerned that I would end up ultimately being unhappy with the phone, quite the opposite has happened. Other then some initial pain learning how to TXT with T9 style input again, life is fine.

Although I can no longer easily do encrypted SMS only a few people ever got on board with that and most of what I send via SMS isn't anything that needs encryption. I don't really care if the powers the be see me asking my wife if we need bananas. For anything that requires encryption I can use the Instant Messanger on my MID.

I am actually loving the flip phone. It is smaller, lighter, better on battery, has a replaceable battery, feels and acts more phone like, and still is able to play my music and podcasts through my Bluetooth headphones. I do not need more. And best of all I got my life back. I'm no longer tied to a hugely expensive, privacy sucking, attention sucking, thing that is doomed to the landfill because the battery can not be replaced.

I even now turn the phone off when not in use. Imagine that. A life where I only get bugged by the outside world when I chose to. A world where I control how and when I talk to people or people talk to me. A world where I watch all the way through a TV show (or several) without ever two screening. A world in which when I'm with friend I'm with them not split between them and my annoying smart thing.

I'd strongly suggest that others should try to follow in my path. Even if you only got as far as pairing back what is on the phone and limiting notifications to only the important ones I suspect you'd notice a large difference in your life. I certainly did.

Where I Stand...

2016-07-15 by Freemor

I will not be moved to hatred by media and politicians seeking to use tragedy to gain power.
   Instead I will hold fast to my love of my fellow human beings and my knowledge that the vast majority are peaceful.

I wil not be goaded to anger by those hoping to exploit the unclear thinking that lives there.
   Instead I will hold and extend compassion to my fellow human beings,
   Compassion for the victims, but also, and much more challenging,
  Compassion for the pain, and hopelessness that the perpetrator must have been in to commit such an act.

I will not be made to fear, by hanious acts, or those that seek to exploit peoples reactions to such acts.
   Because I know the world is mostly safe,
   Because I know that all sane people wish peace and stability,
   Because I know that the sane far far outnumber the troubled.

And because I know that love and compassion are far more potent salves for human problems then anger and fear.

Stop Calling it Sharing

2016-04-09 by Freemor

I'm getting tired of term "Sharing" or "sharing economy" being applied to things that clearly are not sharing. It muddies the waters in discussions of these services, it's more about marketing then the reality of the situation, and frankly it's highly inaccurate.

Sharing is something one does without profit in mind.

  • If I let you borrow my car for free that's sharing. If I charge you for the use of my car, I'm offering a paid service.
  • If I let you stay at my place for free because I have the space, that's sharing. If I charge you it is a service. If we make an arrangement where I stay at your place in exchange that is barter.
  • If I give you half my chocolate bar for free, thats sharing.
  • If I trade you half my chocolate bar for one of your cookies, thats barter

Things like Uber, AirBnB, etc. are not about sharing. There is an exchange of funds involved. The companies provide a service to people how in turn provide a different service to clients.

If you go to Uber's "Drive" page it is quite clear from the wording that this is not about sharing. Phrases like:

"earn what you need"

and

"we deduct a service fee"

clearly show that this has nothing to do with sharing. So any references to Uber as a sharing service are completely inaccurate. It is a business plain and simple.

So with the "sharing" mystique stripped away it is clear that Uber is just another taxi service and thus should be regulated like any other taxi service.

AirBnB is about the same, their website starts off with:

"Rent unique places to stay from local hosts in 190+ countries." (emphasis mine)

Renting is not sharing. Also the "Hosts" pay a service fee to AirBNB:

"You'll only pay a 3% service fee".

So, once again we have a Company offering a service to people who offer a different service to clients. No Sharing. And with the "Sharing" mystique once again stripped away it's clear that this is just an unregulated hotel service.

So can we please stop referring to companies like this as "sharing" or being part of a "Sharing Economy". The use of that term is nothing but marketing buzz and an attempt to try and duck regulations that are generally there to protect the public.

Now if you take a site like CouchSurfing you'll be looking at something that is about sharing. Accommodations offered for free. No stings attached. No earning or service fees. However the company providing the site is not entirely in the sharing business, from their "Terms of use" we see:

"Couchsurfing may offer the opportunity to purchase products and services from third parties. You acknowledge that such products and services are offered and sold to you by one or more third parties. For more information, please refer to the applicable third party's terms of sale and privacy policy that are presented as part of the checkout process."

So even though CouchSurfing facilitates sharing they are in it to make a buck. They are a business. They are offering a monetized service.

I am in no way disparaging CouchSurfing. Everyone needs to eat. And bravo! they are facilitating actual sharing. Good for them. I'm just saying that their motivations are not entirely selfless.

I am also not saying that there is a dearth of sharing. Certainly the capitalistic society in which we live tries hard to push people away from sharing, as it is bad for their bottom line. Even so, I have seen many people offer public spaces and resources on-line for altruistic and/or selfless reasons.

People who run Tor nodes are sharing their bandwidth and computer resources. The same goes for people running I2P nodes, or people running publicly available Pump.io nodes or Diaspora pods. There is also the thousands of people that devote their time and energy to creating freely available GPL'd software.

So there is definitely a sharing economy out there. It just isn't the one you hear about. And sadly the "Sharing Economy" that is getting all the press isn't about sharing at all, just more capitalistic endeavours trying to wrap themselves in a palatable and marketable guise.