Skip to main content

Setting up SSL

4 min read

SSL is a protocol for making secure, authenticated connections across an insecure network like the Internet. It encrypts network traffic, so that an attacker cannot listen in on the network and capture sensitive information such as passwords and credit card numbers. It allows servers to authenticate themselves to clients, so that a web browser can be sure that it is connecting to the website that is thinks it is. It also allows clients to authenticate themselves to servers, which can be used to replace usernames and passwords with digital certificates.

The SSL protocol can be used to encrypt any kind of data that would normally travel over an unencrypted TCP connection. However, in this chapter we are only concerned with the encryption of web page requests and responses, which is done by encrypting HTTP protocol data with SSL. The result is a new protocol called HTTPS, which is used by all websites that want to operate securely. Almost every browser supports the HTTPS protocol, and uses it when retrieving URLs that start with https:// instead of the normal http://. Whereas the normal HTTP protocol use TCP port 80, the HTTPS protocol uses port 443.

Generating a Self-Signed Certificate

    1. Login to your system as root.
    2. Change to the directory in which you want to store your certificate files,

/etc/apache2/ssl

    3. Run the command:

openssl req -newkey rsa:4096 -x509 -nodes -out cert.pem -keyout key.pem

This command will ask the following questions in order to obtain attributes for your new key. To leave any of the requested fields blank, just enter a single period. NONE of the fields in the certificate matter except Common Name. That field MUST contain the URL of your site or you will get an “Invalid Certificate Error” I would suggest your key include ALL subdomains as well, unless you have a reason to generate a separate cert for something such as mail.domain.tld To include all subdomains use a wildcard ie. *.domain.tld

Field Name Description Example (As used in my cert)
Country Name Your Country Code [US] US
State or Province Name Your State Denial
Locality Name City Name Confusion
Organization Name Company Name Dewey Chetum & Howe
Organizational Unit Name Dept Name Misinformation
Common Name This is the URL of your site!
Wildcards are OK
*.paranoidpress.com
Email Address Administrator Contact email smaug@paranoidpress.com

When all the questions have been answered, the files cert.pem and key.pem will be created in the current directory. These are your website’s certificate and its private key respectively. Because the private key must be kept secure to ensure the security of SSL connections to your server, change its ownership to the user that Apache runs as, and set it’s permission so no other user can read it with the commands.

chown www-data:www-data key.pem
chmod 600 key.pem

Installing the Self-Signed Certificate

Now that a certificate and private key have been created, you are ready to configure your web server to use SSL. The best way to do this is to create a new virtual server that handles all requests to port 443 (the HTTPS port) in SSL mode. This way any existing virtual servers on your system will not be effected. The steps to follow are :

In the webmin Apache Webserver module, click on the Create virtual host tab.
Change Port to 443
If you want the pages that browsers see when connecting in SSL mode to be the same as those that they see when making a normal HTTP connection, enter the document root directory for your default server into the Document Root field. Otherwise, you can enter a different directory so that clients will see different pages when making HTTPS requests.

Click the Create Now button.
Select the Global Configuration tab, check the ssl box, and click Enable Selected Modules.

Back at the main Apache Webserver module click on the new Virtual Server (the one that handles port 443) You should see an SSL Options Icon. >Click it!<

Select Yes DeSelect SSLv2 and SSLv3 (less secure connection protocols)

Enter the full path to the cert.pem and key.pem files

/etc/apache2/ssl/cert.pem
/etc/apache2/ssl/key.pem

In the Server Name field, enter the same hostname that you specified for the Common Name when creating the SSL certificate. (without the wildcard!)

Click the Create button to have the new virtual server added to your Apache configuration. An icon for it will be added to the module’s main page.

Click on the icon for your new server to go to the virtual server options page. An icon labelled SSL Options should be visible – if not, either your Apache webserver does not have the mod_ssl module, or Webmin hasn’t detected it yet.

Click on the SSL Options icon to bring up the page shown in the screenshot below.

Change the Enable SSL? field to Yes This tells Apache that the virtual server should treat all connections as HTTPS.

DE-select SSL protocols SSLv2 and SSLv3 (less secure protocols)

In the Certificate/private key file field, de-select Default and enter the full path to the cert.pem file that you created earlier.

In the Private key file field, enter the full path to the key.pem file. If you only have a single file that contains both the certificate and private key, you can leave this field set to Default and enter its path into the field above.

Click Save and Apply Changes link back on the virtual server options page.

Unless an error is reported when applying the configuration, your webserver should now be running in SSL mode on port 443. Test it out by using a web browser to go to the URL of your site.
If you receive a warning notice that the connection is untrusted then it worked! Click on the I Understand the risks arrow, add an exception and view the certificate. No one else has to trust the origin of this cert but you will because YOU MADE IT. Now you can enjoy secure communication with your server!

See also: https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

The disappeared

1 min read

The disappeared: Chicago police detain Americans at abuse-laden 'black site' | US news | The Guardian http://www.theguardian.com/us-news/2015/feb/24/chicago-police-detain-americans-black-site?utm_source=nextdraft&utm_medium=email

Guerilla Open Access Manifesto - Aaron Swartz

5 min read

Information is power. But like all power, there are those who want to keep it for
themselves. The world's entire scientific and cultural heritage, published over centuries
in books and journals, is increasingly being digitized and locked up by a handful of
private corporations. Want to read the papers featuring the most famous results of the
sciences? You'll need to send enormous amounts to publishers like Reed Elsevier.

There are those struggling to change this. The Open Access Movement has fought
valiantly to ensure that scientists do not sign their copyrights away but instead ensure
their work is published on the Internet, under terms that allow anyone to access it. But
even under the best scenarios, their work will only apply to things published in the future.
Everything up until now will have been lost.

That is too high a price to pay. Forcing academics to pay money to read the work of their
colleagues? Scanning entire libraries but only allowing the folks at Google to read them?
Providing scientific articles to those at elite universities in the First World, but not to
children in the Global South? It's outrageous and unacceptable.

"I agree," many say, "but what can we do? The companies hold the copyrights, they
make enormous amounts of money by charging for access, and it's perfectly legal —
there's nothing we can do to stop them." But there is something we can, something that's
already being done: we can fight back.

Those with access to these resources — students, librarians, scientists — you have been
given a privilege. You get to feed at this banquet of knowledge while the rest of the world
is locked out. But you need not — indeed, morally, you cannot — keep this privilege for
yourselves. You have a duty to share it with the world. And you have: trading passwords
with colleagues, filling download requests for friends.

Meanwhile, those who have been locked out are not standing idly by. You have been
sneaking through holes and climbing over fences, liberating the information locked up by
the publishers and sharing them with your friends.

But all of this action goes on in the dark, hidden underground. It's called stealing or
piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a
ship and murdering its crew. But sharing isn't immoral — it's a moral imperative. Only
those blinded by greed would refuse to let a friend make a copy.

Large corporations, of course, are blinded by greed. The laws under which they operate
require it — their shareholders would revolt at anything less. And the politicians they
have bought off back them, passing laws giving them the exclusive power to decide who
can make copies.

There is no justice in following unjust laws. It's time to come into the light and, in the
grand tradition of civil disobedience, declare our opposition to this private theft of public
culture.

We need to take information, wherever it is stored, make our copies and share them with
the world. We need to take stuff that's out of copyright and add it to the archive. We need
to buy secret databases and put them on the Web. We need to download scientific
journals and upload them to file sharing networks. We need to fight for Guerilla Open
Access.

With enough of us, around the world, we'll not just send a strong message opposing the
privatization of knowledge — we'll make it a thing of the past. Will you join us?

Aaron Swartz

July 2008, Eremo, Italy

Read more about Aaron Swartz

 

White house response: UPDATED 1/7/2015

http://www.whitehouse.gov/sites/default/files/image/wtp-logo-email.jpg" alt="We the People" width="176" height="100" />
Response to We the People Petition on U.S. Attorney's Office Personnel Matters Aaron Swartz's death was a tragic, unthinkable loss for his family and friends. Our sympathy continues to go out to those who were closest to him, and to the many others whose lives he touched. We also reaffirm our belief that a spirit of openness is what makes the Internet such a powerful engine for economic growth, technological innovation, and new ideas. That's why members of the Administration continue to engage with advocates to ensure the Internet remains a free and open platform as technology continues to disrupt industries and connect our communities in ways we can't yet imagine. We will continue this engagement as we tackle new questions on key issues such as citizen participation in democracy, open access to information, privacy, intellectual property, free speech, and security. As to the specific personnel-related requests raised in your petitions, our response must be limited. Consistent with the terms we laid out when we began We the People, we will not address agency personnel matters in a petition response, because we do not believe this is the appropriate forum in which to do so. Original petition:

$1.43 of every $100 in America goes toward hospital administration

2 min read

http://www.vox.com/2014/9/15/6151861/1-43-of-every-100-in-america-towards-hospital-paperwork

America spends a lot of money on the paperwork that makes hospitals run— $218 billion per year, to be exact. That works out to 1.43 percent of the entire American economy is spent on hospitals' administrative costs. Of every $100 spent in America, that means $1.43 is going toward the billing specialists and schedulers that make hospitals here work.

Hospital administration has grown as a percent of the economy over the past decade, from 0.9 percent in 2000 to 1.43 percent in 2012, a new paper in the journal Health Affairs shows.

hospital administration

(Health Affairs)

To put this in a bit of context: America spends twice as much on hospital administration as it does on the entire food budget. For what we pay for hospital paperwork, we could pay for all professional American sports three times over (they had a budget of $61 billion this year, according to PriceWaterhouseCooper).

hospital sports

This makes the United States different from most other countries. In 11 countries that this Health Affairs article looked at, hospitals usually put about 12 percent of their budget toward administrative activities. But in the United States, hospitals spend a full quarter of their funds on filing the necessary paperwork to make sure that surgeries happen and patients get scheduled.

This reflects something particular about the American health care system — namely, it's a complex mess. Most other countries have some central agency that sets a national price for every procedure, from a heart transplant to an MRI. But that's not how the United States works. Here, we have thousands of health insurance companies that each negotiate their own prices. For a hospital contracting with a dozen health plans — each charging a different price for an MRI, and anything else — that necessitates a whole bunch of paperwork.

There are, of course, trade-offs with a system like this. If the government sets the price too low — pays less, for example, for an MRI than hospitals would accept — that could restrict access to needed medicine. In that case, patients have little mode of recourse; they can't switch to another plan, because there's only one game in town.

You can learn more about how that system works, and its trade-offs, in the video below. Then read about Vermont's plan to sharply reduce administrative costs by switching to a single-payer plan (and the massive obstacles the state faces) here.




ComputerCOP: The Dubious 'Internet Safety Software' That Hundreds of Police Agencies Have Distributed to Families

1 min read

For years, local law enforcement agencies around the country have told parents that installing software is the "first step" in protecting their children online. But as official as it looks, ComputerCOP is actually just spyware.

Read More

OFFICIAL: ANOTHER POSSIBLE EBOLA CASE IN DALLAS

1 min read

Via: http://www.infowars.com/official-admits-another-possible-ebola-case-in-dallas/

Another patient feared to have virus

Dallas health officials are now monitoring another person who they fear may have Ebola after coming into contact with the infected man currently being treated in Dallas, Texas.

“Let me be real frank to the Dallas County residents: the fact that we have one confirmed case, there may be another case that is a close associate with this particular patient,” Dallas County Health and Human Services Director Zachary Thompson said Wednesday in an interview with local ABC affiliate WFAA. “So this is real.”

“There should be a concern, but it’s contained to the specific family members and close friends at this moment.”

Yesterday the Centers for Disease Control and Prevention confirmed a patient at Texas Health Presbyterian Hospital Dallas was the first person to be diagnosed with Ebola in the United States.

$30 million paid to anonymous tipster

2 min read

WASHINGTON — An anonymous tipster living abroad will receive more than $30 million in the largest whistle-blower award ever doled out by U.S. securities regulators as part of a program that aims to incentivize insiders to report wrongdoing.

The Securities and Exchange Commission said on Monday that the whistle blower provided crucial information that helped investigators uncover a “difficult to detect” fraud.

“This record-breaking award sends a strong message about our commitment to whistle blowers and the value they bring to law enforcement,” SEC Enforcement Director Andrew Ceresney said.

The SEC won new powers in the 2010 Dodd-Frank Wall Street reform law to entice whistle blowers with monetary awards. Before the new law, the SEC was only able to reward people for helping on insider-trading cases.

The new program lets the SEC pay a whistle blower who provides tips and original information that leads to an enforcement action with sanctions that exceed $1 million.

The SEC can award a whistle blower anywhere between 10 percent and 30 percent of the money the agency collects.

By law, the SEC is not allowed to reveal the identity of whistleblowers, and so as a result it does not disclose which case a whistle blower helped to crack.

Settlements with the SEC large enough to justify a $30 million-plus award are fairly uncommon.

Phillips & Cohen LLP, a law firm that represented the whistleblower, declined to provide details about the case but said its client will receive at least $30 million and possibly as much as $35 million.

“I was very concerned that investors were being cheated out of millions of dollars and that the company was misleading them about its actions,” said the whistleblower, in a press release issued by the law firm.

Monday’s announcement marks the fourth time the SEC has agreed to award a whistle blower living abroad — a fact that the agency said demonstrates the “international breadth” of the program.

Since the inception of the program in fiscal year 2012, the SEC has awarded more than a dozen whistle blowers. Monday’s $30 million-plus award is more than double the previous record of $14 million, awarded to a whistle blower in 2013.

Too bad we don't respect government whistle blowers as well

Notice to Our Customers from The Home Depot - late to the game

3 min read

Notice to Our Customers from The Home Depot - jacobs.andrew@gmail.com - GmailDear Valued Customer,

As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores. On September 18, 2014, we confirmed that the malware used in the breach has been eliminated from our U.S. and Canadian stores and that we have completed a major payment security project that provides enhanced encryption of payment data at point of sale throughout our U.S. stores, offering significant new protection for customers. There is no evidence that debit PIN numbers were compromised or that checks were impacted. Additionally, there is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.

We are offering customers who used a payment card at a Home Depot store in 2014, from April on, 12 months of free identity protection services, including credit monitoring, beginning on September 19, 2014. We apologize for the frustration and anxiety this may cause you and we thank you for your patience during this time.For more information, please visit our website where you’ll find frequently asked questions, helpful tips, our Important Customer Notice, and information about how to take advantage of the free identity protection services, including credit monitoring. Should you have questions regarding the authenticity of this email or any additional questions over the coming days and weeks, please call 1-800-HOMEDEPOT.We hope this information is useful and we appreciate your continued support.The Home Depot

via Notice to Our Customers from The Home Depot - Gmail.

A little bit late to the game wouldn't you say?

I'm not usually one to get angry about these things, but the way that this has been handled by HomeDepot is a lot more important than just "the frustration and anxiety this may cause you".  Why would they continue to use software that they (should) know has a vulnerability?  This was the same POS system that was being used by Target last year!

I have, as of yet, never been the victim of identity theft.  But Three times in the last two years I have had my credit card data stolen because  companies have failed to protect my interests, so I will be voting with my feet.  I have no great incentive to go to Target or HomeDepot when there are alternatives, usually across the street.

It still begs some questions:

  1. Why do companies feel it's necessary to store my payment information? - This to me seems a needless liability that they don't need to incur.  Process the payment and after 3 days or a month delete the data!
  2. If payment information does have to be stored, store that information in a separate database, and use strong encryption.  We know that encryption works.  There are industry best practices that we know how to use, and that is exactly what a relational database is good at doing!

It's past time for systems like Apples "new" NFC payment option to gain widespread use.  I've had that ability on my android phone for about 3 years now, but it is unusable.  There are almost no POS systems that honor the system, but I hope that Apple's entry into this space will help adoption of new payment systems that will leave credit card companies in the cold.

P.S. Thank you HomeDepot for not including a hyperlink in your email..  That's the first security conscience thing you've done yet.  Maybe there is hope for you.

Administraitjacket

1 min read

Nearly one and a half percent of the entire American economy is spent on hospital administration. In Vox, Sarah Kliff puts that into perspective: "America spends twice as much on hospital administration as it does on the entire food budget. For what we pay for hospital paperwork, we could pay for all professional American sports three times over."

from: http://nextdraft.com/?p=5776

more: http://www.vox.com/2014/9/15/6151861/1-43-of-every-100-in-america-towards-hospital-paperwork

Dornob: Tablecloth Only Reveals its True Pattern When Spilled On

1 min read

Dornob: Tablecloth Only Reveals its True Pattern When Spilled On. http://google.com/newsstand/s/CBIw1_2zzBo
I would buy this!