Category: Other

Other computing tips

Remove files metadata with BatchPurifier
Every time you create a document, take a digital photograph or edit a movie, hidden data called metadata will be embedded inside the file, that data can contain the author’s name, date, software or camera used, copyright notices and even GPS Geolocation showing the exact location where a photograph was taken. BatchPurifier is a tool to remove metadata from dozens of different files, the Lite version reviewed here only works with .jpeg images.

Metadata found on JPEG files

Camera manufacturers and image editing software companies can come up with their own proprietary metadata embedding system embodying anything the developer wants to your photographs, typically a digital JPEG image metadata will contain:
- EXIF (Exchangeable Image File Format) data automatically added to photos by all digital cameras and some scanners, details stored in EXIF show the date and time a photo was taken, camera brand and model, hardware unique serial number, exact location if the camera had GPS enabled (i.e. iPhone), and a small thumbnail of the photo that sometimes is not updated by software after you edit the image leading to a possible recovery of the original file.
- XMP (Extensible Metadata Platform) is added by software tools and it contains details given by the user, like keywords, notes, description and category.
- ICC profile contains colour management data used to be able to view a photograph in another device with different specs.
BatchPurifier image metadata removal

BatchPurifier Lite has a five step wizard interface guiding you through the metadata removing process giving substantial information on a side bar about what each acronym means, you can choose to only remove part of the hidden data ticking a checkbox next to each attribute, at the end you will be given the choice to save the image as new or overwrite the original file. It is possible to remove thousands of images metadata at once adding multiple jpegs or a whole folder including subfolders and even compressed .zip files with images inside.

Optionally there is no need to open up the program to clear an image metadata, BatchPurifier integrates with Windows shell menu, advanced users can use BatchPurifier from command line integrating it with a script, this could be used for example to automatically get rid of all metadata in files stored inside a certain folder .

Visit BatchPurifier homepage
17 May, 2012
Mymail-Crypt for Gmail GPG encryption (Chrome)

Mymail-Crypt is a Chrome browser addon to encrypt messages with GPG operating within Gmail webmail interface, the project aims to be OpenPGP compatible to be able to communicate with anybody using public key encryption even if they have different PGP or GPG software. After installing Mymail-Crypt you will have to generate your encryption keys, this can be done with the addon, entering a password is optional and highly recommended, if you don’t use a password anyone breaking into your Gmail account will be able to decrypt sign and encrypt messages supplanting your identity. Encryption keys can and must be backed up.

Mymail-Crypt is fairly easy to use, you will see a button in Gmail compose screen with the options “Encrypt and sign“, “Encrypt“, “Sign“. Received encrypted Gmail messages can be read using the drop down menu “Decrypt” option and entering your password.

MyMail-Crypt GPG Chrome Gmail

The project uses an OpenPGP open source library called Openpgp.js , it runs locally in JavaScript, messages are encrypted/decrypted in your browser. This addon will stop Google and others from reading your emails during transit but email drafts and decrypted autosaves will be saved in the clear to Gmail servers, encryption only takes places after you click on the “Encrypt” button, it will not protect you while you are composing the message, the developer also warns that it is possible for Gmail to get hold of the encryption password monitoring the user when he types it in.

Another way to encrypt Gmail messages with GPG is using Thunderbird and Enigmail but it won’t work for webmail, or obtaining a digital certificate for your email client.

Visit Mymail-Crypt Chrome store homepage

15 May, 2012
SandCat browser for website penetration testing

SandCat is a free portable penetration testing browser based on Chromium, the rendering engine behind Chrome browser, thanks to extensions support you can quickly find out what server software is being used by a website, run javascript in the loaded page, view cookies and links, use a cgi scanner, HTTP brute force a page and much more. Three tabs at the bottom of the browser allow you to easily change view from normal to source code or logs.

Coders can create their own browser extensions with HTML, CSS and Lua (a programming language), Syhunt, the browser developers, own RudaScript library allows you to execute any scripting language, like Ruby, Python, PHP, javascript, etc.

SandCat browser penetration testing

Although the browser is directed towards system administrators to test their own web server security and people scrutinizing pages that contain malware, privacy activists could use SandCat to see in real time how they are being tracked on the Internet, the browser can split its main window in half to show all HTTP live headers in real time on top of it, it can also be used to teach people how websites work, looking at the HTTP headers as you browse a website shows all of the external elements being download, packet sizes, request methods (GET/POST), pings, advertising networks, redirects… It is much more clear than seeing a website activity using a packet sniffer full of binary numbers that have to be grouped together.

The browser is too technical for the average user, unless you are a student, hardcore geek or professional PEN tester it wouldn’t make much sense for you to run SandCat.

Visit SandCat browser homepage

2 May, 2012
SPDY, a quicker and safer HTTP browser protocol

SPDY, pronounced “speedy”, is a new experimental protocol developed by Google to speed up the Internet and make it safer. HTTP (Hypertext Transfer Protocol) was never designed to efficiently download a large number of small files, it was meant to attend a single request each time. As the Internet age advanced websites kept adding elements like CSS (Cascade Style Sheets), external javascript, XML and images, all of those multiple elements needed to be downloaded together for the user to be able to view a webpage, resulting in bottlenecks and delays.

The ultramodern SPDY protocol ambition is to reduce website load, latency and increase security, it wants to replace parts of the old HTTP providing faster communication in between server and browser. SPDY uses less TCP connections wrapping up multiplexing in a single stream and manages TCP more efficiently prioritizing the resources needed to be send first, reducing upstream data and cutting down the number of handshakes, it also supports “server push” a technology that predicts what will be downloaded next, sending it to the browser before a request is made.

SPDY protocol status in Chrome browser

SPDY is turned on by default in Google Chrome, see it by typing “chrome://net-internals” into the Omnibox, and Firefox will turn it on in their next Firefox 13 release, to enable it now, go to “about:config“, search for “network.http.spdy.enabled” and set it to “true“. An Apache server SPDY module exists and Nginx based servers (used by Facebook and Hulu) and Jetty web servers (Ubuntu, Zimbra) will support it soon making it easy for webmasters to deploy SPDY, the protocol won’t work unless server and browser both support it.

Browsers that currently work with SDPY are Chrome, Firefox, SeaMonkey and Amazon Kindle Silk, the only websites I know of at this time supporting SDPY are Google services (Gmail, search,etc) and Twitter. Safari and Internet Explorer do not have immediate plans to support the protocol leaving half of the Internet population out and making it more difficult for the Internet Engineering Task Force ( IETF) in charge of the HTTP protocol to approve a backwards compatible neutral standard.

Compulsory SSL connection

The SPDY protocol makes it mandatory to encrypt all connections with websites using SSL, webmasters must install a SSL certificate in their servers for this endeavor. As good as it seems, various webmasters have objected to the approach arguing that when you multiply millions of SSL encryption and decryption requests the server CPU hardware needs a hardware upgrade and extra arrangements for heat dissipation provoking costs to go up.

The second problem is that requiring all webmasters to have an SSL certificate will end up with many of them not bothering renewing the certificates and users will start to get used to see “expired digital certificate” warnings clicking on the ignore button without even reading it.

Read Google’s SPDY white paper

29 April, 2012
HotSpotShield alternative, free VPN SpotFlux

Spotflux is a free VPN for Mac and Windows computers, it can help you get around censorship in countries where ISPs block websites, theoretically it can bypass computer Internet filters but it is not portable and you need administrator rights to install it, you won’t be able to use Spotflux in your college or workplace unless you have your own laptop.

I tested their speed from Europe a few times and it gave me a consistent 1MB/1.5MB, enough to stream online video, hoovering your mouse over the Windows tray will show your given IP, Spotflux provides a US computer IP allowing you to access CWTV, ABC, Pandora radio and other websites restricted to US residents only, I tried to watch Hulu and it worked fine, the same with Pandora Radio.

During installation the software will ask you to install a device driver and also to run Java, this is one part that I did not like, I have used multiple VPNs in the past and I have never been asked to run a Java app, Java runs locally in your computer it has been exploited in the past and it could endanger your security unless you are really sure that the place you downloaded it from is trustworthy.

Free VPN SpotFlux

Spotflux settings are very simple, consisting of automatic updates, proxy configuration and language interface. What makes this VPN different from others is that they scan and filter all pages you request for malware and viruses, tracking cookies are filtered out too. Nearly all advertisements are blocked. As a blogger I find this VPN unethical, the reason why I don’t update hacker10 more often is because the scarce income I make here does not justify my posting time. Browser addons blocking adverts allow people configuration options to only target websites abusing privacy and overdone with adverts, Spotflux block all sites, if you use them to visit your favourite sites you will deprive them from advert income and eventually kill the site.

Spotflux privacy policy doesn’t mention what logs they keep and how long for but they say that they will use deep packet inspection of user traffic to cooperate with law enforcement if necessary. This is definitely not a VPN to be used for privacy even if they claim so. I don’t know how they make money with it, I will speculate that Spotflux might start charging for extra services in the future. HotSpotShield privacy policy is equally bad but they don’t have any system in place filtering the sites you visit for “privacy reasons“. I would say that both VPNs, SpotFlux and HotSpotShield, are ok to watch US online TV and that is it, never use a free VPN like them to check your email if you care about your online privacy.

UPDATE December 2012: After using Spotflux again I noticed that the installer comes with sponsored software, you can refuse to install it unchecking a tickbox. SpotFlux is also blocked in Abc.com where I get a message saying that I have to disable add blocking programs before I can watch their videos.

Visit SpotFlux homepage

25 April, 2012
GPGAuth logs into a website using GPG/PGP keys

GPGAuth is an authentication mechanism that allows you to use public/private encryption keys (GnuPG,PGP) to login into a website, there is no need to remember any password or username, GPG keys act as username and password verification is carried out in your browser, trust level for each website can be specified in GPGAuth options, like making sure that the User ID matching the domain has been signed by one of your trusted keys.

Keyloggers are easily defeated as you don’t have to type in anything, the server’s owner is given the public encryption key before hand making man in the middle attacks extremely difficult, with GPGAuth you won’t need to remember multiple passwords for every different site, it can be used as a single sign-on system, it is possible to create multiple User IDs from a solo GPG keypair, this allows for various online identities if needed.

Chrome GPG addon GPGAuth

The downside is that the website you are using must offer the possibility of using GPGAuth and it hasn’t exactly caught on. The browser addon is only available for the Chrome browser at the moment, the project uses the framework FireBreath to be cross compatible with Windows, Linux and Mac computers and all major browsers, there is no technical reason stopping it from being ported to other browsers addons in the future. If Chrome is your main browser you could use it in conjunction with WebPG, a GPG key management addon from the same author, otherwise you will need to have some kind of OpenPGP compatible software installed in your computer.

Visit GPGAuth homepage

21 April, 2012
Hyperboria, censorship resistant darknet based on CJDNS

CJDNS is an open source project building a censorship resistance decentralized network, the routing engine has been designed for security, scalability, speed and ease of use, CJDNS runs on top of your ISP network and provides you with an internal IPv6 address generated from a public encryption key.

A virtual network card (TUN device) is used to send data to anyone connected to the network, what makes CJDNS different from other decentralized P2P projects like PirateBox is that it is routable over the current Internet, nodes can be reached anywhere in the world. In the future, as the number of nodes increases, data packets can be sent wireless in ad-hoc mode. No DNS is required to access a node, if DNS is ever implemented it will be made decentralized and secure, at the moment the user only needs to know the IPv6 address and paste it in the browser.

Project MeshNet CJDNS flowchart

Man in the middle attacks are not possible because public key encryption is used to send packets, CJDNS provides privacy too, other users can’t locate people by simply looking up their internal IPv6 address, node operators could track a user down but only if the community helps them out. Unlike the tor network , the node operator that gave someone access to the mesh can deal with abuse and ban people, a CJDNS network abuse policy will have been democratically decided by those who are part of the network, stopping Government interference and frivolous multinational lawsuits. CJDNS is not trying to replace tor, it wants to replace the Internet, the idea is that with all hardware working in P2P mode a single person can’t be intimidated into shutting down the network, there isn’t any central infrastructure that can be attacked.

Like with darknets, to join CJDNS you will first need a friend inside giving you access, once in the network you can connect to everyone else. Hyperboria is the main CJDNS network composed of dozens of nodes. To connect to the IPv6 addresses, Hyperboria sites, you will need to be running CJDNS, it doesn’t matter if your computer is using IPv4 as CJDNS encapsulates IPv6 into IPv4 packets for routing.

The network is resistant to Distributed Denial of Service ( DDoS ) because it has too many nodes to bring down, this makes CJDNS enduring to natural disasters too, there isn’t a single point of failure. CJDNS can be installed in OpenWRT routers, MAC and Linux computers, Windows is being tested on, hardware requirements are low and if you run a node you can host anything that doesn’t go against the community values.

Visit Hyperboria homepage

18 April, 2012