Warning: include_once(/Users/grmrgecko/Web/vhosts/mrgecko.org/wp-content/plugins/wp-super-cache/wp-cache-phase1.php): failed to open stream: No such file or directory in /Users/grmrgecko/Web/vhosts/mrgecko.org/wp-content/advanced-cache.php on line 21

Warning: include_once(): Failed opening '/Users/grmrgecko/Web/vhosts/mrgecko.org/wp-content/plugins/wp-super-cache/wp-cache-phase1.php' for inclusion (include_path='.:/usr/local/Cellar/php@7.2/7.2.25/share/php@7.2/pear') in /Users/grmrgecko/Web/vhosts/mrgecko.org/wp-content/advanced-cache.php on line 21
grmrgecko – Page 2 – Mr. Gecko's Weblog

Author: grmrgecko (page 2 of 12)

Privacy – Messaging

Something that has become popular in recent times is messaging clients like facebook Messenger, Apple Messages, WhatsApp, and Hangouts. The issue is not all of these systems are secure.

Issues with popular methods:
1. WhatsApp – Owned my facebook, closed source, unknown encryption.
2. facebook Messenger – facebook knows everything you say.
3. Apple Messages – Apple acts as key server and can add their own key if they want future messages and only Apple Devices.
4. Hangouts – Google sees everything.

This post will first explain different things that can be done to protect privacy and show a table of my recommendations of clients with the different items I talked about checked or not.

Peer to Peer (P2P) – Making a direct connection to the other person you are communicating with.
This can be both a good and a bad thing. It is a good thing as your messages are not going to a third party server, but it does go through Internet Service Providers (ISPs) which they can view and capture the traffic which isn’t much different from going to a third party. It is a bad thing because an ISP can view which IP address you are communicating with and with this information, they can correlate (build a map) as to who you communicate with.

Self Hosted – You own the server which is used to communicate with your friends.
Self hosted is basically like P2P, as if you own it, basically your friends talk directly to you. While you can self host, you can also use either your friends (mine) server or even a third party (Example: jabber.org allows you to register an account with them).

End to End (E2E) Encryption – Encrypting your messages so that only the person you’re communicating with can read the message.
This is a must when you’re talking privacy, if you encrypt just for the server that doesn’t protect you from the third party. If jabber.org decided to be malicious or was hacked and you were not encrypting your messages using GPG/PGP or OTR, your messages can be read.

Open Source – Proof that the software does what it says.
In my book, this is a must because I like to compile my clients myself. While it can be proof that the software does what it says, if you download binaries from the service you may not know if those binaries are actually the result of the code. The third party could have compiled some secret back door into the binaries, but left those out of the source code. Trusting them to do the right thing is up to you, I’d say if you don’t know how to compile go ahead and use what they provide. If you trust the third party, go ahead and use what they provide.

Server for Transportation of Messages – When you send a message, it is sent to a third party to be delivered to your destination.
If the third party server is taken over by hackers or if the people owning the servers themselves decide to be malicious, they can capture messages and do what they want. Now if you have E2E Encryption, this may not be such a bad issue. But if the encryption is poorly written, then it could be possible for a malicious person to figure out what was in the messages your sent. The only major issue with a server transporting messages is they must know where to transport them to which means they can more easily correlate who is talking with whom.

Server for Key Discovery – Having a server tell you how to encrypt for E2E Encryption.
If the server tells you the public key to encrypt your messages with, it is also possible for them to become a man in the middle with encryption. They can say, here is the user’s public key and have it actually be their own allowing them to decrypt and see the messages then re-encrypt and forward to the person you’re communicating with.

Encryption Optional – Messages can be sent in plain text.
This can be a bad thing as if you or the person you are communicating with decides to not encrypt, your messages goes in the clear and can be read by anyone. For both XMPP and IRC, I have disabled non-encrypted methods of talking to the server so it is only possible when a third party decides to allow non-encrypted for the messages to go in the clear.

Traffic Correlation – Governments or server owners can make a map of who you talk to.
This is something which the NSA does often, they collect phone records to find out who you talk with. If it’s possible for correlation of messages, then they get data they want and can possibly figure out who you are and who you’re talking with by matching other data captured.

Privacy - Messaging

Now that you have an idea on what is good and bad for privacy and what clients do what and support what, I will post my own little comments on each client.

1. Tox

To me, Tox seems like something made by a designer and not a programmer as the client isn’t exactly stable on some platforms and when you look at the github page for the mac client they have almost nothing done with code, but things done mostly on the design side.

One thing I personally do not like about Tox is you can’t run it in two places at the same time. I have lots of devices and if I want to leave the house and still be on tox, I’d have to quit the client on my PC and open it on my phone, which I have a hard time getting the client for my phone in the first place.

To sum things up; it looks promising, but needs lots of work.

My ID is DF98B2F03C128CE28970C08EC51D72E645627215B5049B8905E6D6FFA1FA6D00F54195874542
I am not usually on this.

2. Threema
This one is a very interesting concept. The idea is there is three forms of verification, the ID, contact info in your address book, and physical verification via QR Code. You can trust that your messages are going to the right person when you physically verified them.

The main issue with this client is you can only have one identity per device, so I can’t even use it on my computer and my phone if they had a client for the computer.


3. TextSecure
Have not really played with this one because I know none who has it. But I am told good things about it from podcasts.

4. Bleep
This is in early stages in my opinion, I haven’t really played with it either.

My ID is 86f4df59a91ea2dc970a22f0c2b053a04eaf364e198faf071e5e0fc91d728d10,GRMrGecko

I am not usually on this.

5. XMPP (Jabber)
This is a protocol which I love, it supports signing into other services like Facebook and Skype and also supports talking to people on other XMPP servers. XMPP is supported on all platforms and can be used fairly secure. If you want to fix issue x, you can do so. For example, Traffic Correlation issue can be fixed by you setting up the server behind a TOR Hidden Service.

My favorite XMPP Server is Prosody, you do not have to setup your own server if you don’t want to as services such as jabber.org exists and you can get an account on my server by contacting me or registering using xmpp. Servers can be enabled SSL and can also force SSL which is a good thing. Make sure that when you connect to any XMPP server that you are using SSL so that your messages at least get encrypted to the server. You can further secure your messages by using OTR or GPG, but I think if you trust the server you’re talking with, there is no need.

My account is james@gec.im (x is for XMPP).






6. IRC (Internet Relay Chat)
Mainly designed for chat room style messaging, but also can be used for private messaging with OTR.

I have my own server at irc.gec.im which I hangout in #hangout. IRC is the same sort thing as XMPP where you can fix issues that exists and can encrypt your messages using OTR. I only have SSL enabled on my server at port 6697.

https://github.com/Codeux-Software/Textual https://www.codeux.com/textual/






As an overview, I prefer XMPP, and IRC  as messaging systems. If you want to talk with me, try using one of those as I am pretty much always on them. You should now have a better understanding of how to protect yourself when talking with friends.


This little board is a cheap serial to WiFi device that allows hooking up devices like the Arduino to WiFi for wireless control.

I plan on using this for my room lighting whenever I get around to playing with it.


Privacy – Passwords

Passwords are hard to make secure these days, and we need to have more than one password because if your one password gets stolen then the malicious person can access everything you own. The problem we encounter having so many passwords is we now do not remember passwords. So what do we do when we don’t remember passwords? We write them down in a note book. What is wrong with writing them in a note book? Well, say someone found it in your house or you keep it in your purse. You lose all your passwords and someone else knows them. Another issue is that when we make a password, we don’t come up with something random; we usually just go about making it something memorable which means it’s something like married1998 or spotthedog23. These are some of the worst passwords one can come up with. Why? Because hackers can guess these easily because they know people do this. So the passwords you really need should look something like B^xD2$9zXP@#9t68w4U4UJ5r%J77SV. But there is no way you would want to type that or you would remember that, so this is where Password Managers come into play.

Password Managers keeps track of all the passwords you use, makes it easy to use them, are able to make unique passwords for sites you use, and they encrypt your passwords using a Master Password to protect them from just being stolen. These are all great reasons to use a Password Manager.

Here are some password managers I recommend:
1. LastPass
LastPass is a cloud based password manager which stores all your passwords in their data center and syncs between devices and browsers you use. One issue with going with a cloud based password manager is if they don’t do security right, malicious people can possibly break in and steal all your passwords. This is something LastPass has done right.

They had break ins in the past, however each time nothing important was stolen and they learned from their mistakes. At most what was stolen was a hash of the master password which they know how to hash the passwords so well that it’s incredibly hard to reverse into the actual password. For this reason, this has become the password manager for me.

They allow one type of device for free, Mobile/Tablet/Computer, but if you want to use more than one, it costs $12 a year which is a steal for something that protects your online life.

2. KeePass
This is an open source password manager which is free but platform availability is limited. It was made for Windows, but has Unofficial releases for Linux, Mac, Windows Phone, Android, and iOS. I don’t personally trust “Unofficial” releases, so I’m sticking with LastPass.

3. 1Password
This password manager is quite nice, the only thing that prevents me personally from using it is it doesn’t support Linux and is expensive in my opinion at $50.

Now my recommendation on how to do passwords is as followed.
1. Have a password you don’t care about for sites you don’t care about that don’t have important information (like forums).
2. Make your master password long and have lots of entropy (many kinds of characters). You can use something like https://www.grc.com/haystack.htm or https://passwd.gec.im/ to get an idea as to how good your password may be.
3. Pad your master password, example put %^@3 at the front of the password and *22#$ at the end or something like that.
4. It’s ok to use phrases to make the master password memorable. Like maybe “I walked to the Candy Store, and I found some Butter Finger candy bars.” That mixed with some padding is “&*2^ I walked to the Candy Store, and I found some Butter Finger candy bars. $#6(” which could take 50.42 thousand trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries to crack.
5. Use absolute random max length passwords for any place that has your credit card info or access to your money.
6. Protect your email address with two factor authentication and a random password because it can be a weak point for entry into your accounts.
7. Use two factor authentication on your password manager if possible so people have to both know your password and have your phone to get in.


This is what you have to do until Public Key encryption becomes popular. The one I’m waiting for is https://www.grc.com/sqrl/sqrl.htm.

Privacy – Search

Choice of search engine is another item which helps protect your privacy. Both Google and Bing keeps a log of everything you search for and uses it to improve search results and provide information to the government when requested.

Google https://history.google.com/history/
Bing https://www.bing.com/profile/history
Yahoo (A bing proxy) https://search.yahoo.com/history
Ask doesn’t provide you with a way to see or delete history, they do collect this info though.

In order to provide better privacy, you have to use a proxy site. These proxy sites would search on your behalf and not keep logs of what you search for or when you search. This protects you when you search for “How to build a bomb” and don’t want to get caught ;).

Proxy Search Sites I recommend are:
1. searx
This is the one I personally use, it is open source, secured with SSL properly, and provides many preferences to customize which search engines you want enabled. My personal settings is DuckDuckGo and Google as the search engines. One thing I never understood is why they default to Google and 3 Bing search engines (Bing, Yahoo, and DDG).

2. privatesearch.io
Another implementation of searx, but not fully updated and uses CloudFlare as an intermediate so I do not know how safe it is. Because CloudFlare is a man in the middle, CloudFlare could be keeping logs and the server that actually hosts it could be sending the data insecurely to CloudFlare. So you can use this service if you like, just beware of the details.

3. DuckDuckGo
This search engine is the most popular proxy search engine out there. There is two issue I have with it and that is it’s a proxy for Bing and other search engines (https://duck.co/help/results/sources/) which doesn’t give me the search results I want being a programmer and also DDG is not open source, so I can’t see how they work.

4. startpage
This is a Google search proxy which is similar to DDG. the only thing I have against it is it’s not open source.

Everything is up to you on what you want to use. I may eventually write my own search proxy in go because go is my favorite language. I had a search proxy before, and I even attempted to make my own search engine which crawled the interwebs, but quickly found that I failed quickly at it. There is a reason these search companies has multiple gigabit connections and lots of servers.

Privacy – Browser

The next line in defense is the web browser you use because it is usually what you use to talk to the world. If you use a browser which doesn’t respect your privacy, you are basically giving the company everything that you do online. If you have a plugin that is prone to vulnerabilities, you risk being exploited and having malware take over your machine. Due to OS browsers not being updated quickly, I would not recommend using the browser that comes with your OS unless it’s an Linux/BSD system.

Browser Suggestions:
1. FireFox
This is the one browser I use and recommend. It respects the privacy of it’s user and is updated constantly to fix security problems. Firefox also has an advanced extension API which allows for tools to increase security and privacy far better than other browsers.

2. Chromium (not Chrome)
Chromium is the open source version of Google Chrome which is safer to use than Google Chrome when it comes to privacy. It’s not as good as Firefox, but is good enough for some people.

1. HTTPS Everywhere
Available for Firefox and Chrome

This extension is designed to force websites which are known to support SSL to be SSL at the first connection preventing the use of tools like sslstrip on such websites which watches for the first insecure connection and prevents the redirect to a secure version.

2. Privacy Badger
Available for Firefox and Chrome

Privacy Badger is an anti spying extension which watches how third party domains behave and if a third party domain is acting like a tracking site Privacy Badger will take action ether blocking cookies or blocking the domain entirely preventing the third party from tracking you.

3. uBlock Origin
Available for Firefox and Chrome

uBlock Origin blocks content that may not act in your interest such as advertisements, sites known for malware, and sites known to track. It is light weight and highly configurable.

There is another extension called uBlock which is similar, but not maintained by the original developer. I recommend going with the extension by the original developer.

4. uMatrix
Available for Firefox and Chrome

This extension is made for the more advanced user. It allows white listing of specific things websites can do, first and third party.  It is somewhat like a addon for Firefox which was hugely popular with the security community called NoScript, but seems to do some things differently. uMatrix is written by the same guy who made uBlock.

5. Referral Blocking Extensions
Available for Firefox

RefControl allows you to control which sites gets what in the http referral header. The http referral header tells websites where you came from which can be used for tracking purposes and other privacy invading actions.

I set the default action for sites not listed to set third party to forge my referral meaning when I leave one site to another or when one site makes a request to another it looks like I’m coming from the site which I’m going to and not the site I actually came from.

Available for Chrome
Referer Control provides the same power as RefControl for Chrome based browsers.

Make sure you do not have Flash or Java enabled on your browser. It’s ok if it’s set for click to enable, but having it enabled by default is a bad idea with all of the vulnerabilities which exists in these old plugins.

In Firefox you can check what’s available by going to “about:addons” without quotes in the address bar.
In Chrome based browsers you can check by going to “chrome://plugins/” without quotes in the omni bar.

Privacy – Operating Systems

The first thing to think about when you think Privacy is the operating system (OS) you use. If you’re using an popular OS, that leaves you open for being a target by the hacker community. If you’re using an OS which doesn’t care about your privacy, such as Windows 10/8/7, you risk your information being seen by administrators of the servers or by hackers who break in.

For every operating system, if it’s not the one you use you will have a learning curve to learn how to use it and find new Applications to replace other ones you used.

Here are some of my choices for an Operating System.
1. Mac OS X
Apple does a good job at privacy and security by providing privacy tools, asking up front if you want to enable something that may infringe on your privacy, providing full drive encryption, preventing random applications you download off the internet from running unless Apple itself is aware (white listing), and providing built in anti malware which can be updated on the spot by Apple to remove newly found malware or prevent them from being installed.

There are some disadvantages to using OS X though. You are pretty much stuck with buying or having a Mac to run OS X. You can get around this with what is called hackintoshing, but you have to understand UNIX pretty well to do so. Being one of the top operating systems, there are some hackers that are looking into vulnerabilities which Apple isn’t exactly quick to releasing patches. Apple usually waits until they have a lot of things to fix before they release a patch for the OS.

Some advantages are because it’s a popular OS, lots of programs are being developed for it and you can even run some Linux applications on it using Xorg.

2. Elementary OS
This OS has no issues with privacy as far as I am aware and in-fact has a privacy enhancing mode which makes things you do, such as browsing history, temporary. It acts as an OS and nothing more.

One thing Elementary OS does well is look pretty. It is based on Ubuntu which is based on Debian so you get all the benefits of both in one. You can configure it so that the Dock is auto hidden or auto shown so it doesn’t take space on screen giving you a lot of space for windows.

Because Linux isn’t popular, you will not have as many programs as are available for OS X and Windows, but you can use Wine to run some Windows programs or even run Windows in a virtual machine to run all Windows programs. Elementary OS comes with the Ubuntu Software Center which is a directory of programs you can install which makes finding alternatives easy.

You get amazing security using this because it is Linux and any security vulnerabilities are patched quickly by Debian.

3. Linux Mint
Same as Elementary OS but with a more Windows like UI. The different versions are just different UIs available, I encourage you to play with the different versions before using. If you would prefer not to be based on Ubuntu, but based on Debian itself you can download the Debian Edition http://www.linuxmint.com/download_lmde.php

4. Ubuntu
Ubuntu does have some Privacy issues out of the box, but you can easily disable that issue via the privacy settings. By default Ubuntu includes web results when searching in the Unity search box, this both slows down results and is a privacy issue because everything you type in the search box goes to Canonical (the parent company).

Ubuntu sort of mixes Mac and Windows into it’s own thing as far as UI goes. Everything else is the same as Linux Mint and Elementary OS.

The great thing about Ubuntu is there is lots of support for it. It’s hard to find software that will not work on it. If you have trouble, there is a great community ready to help.

If you want Ubuntu without the UI provided and without the privacy issue, Ubuntu Gnome (https://wiki.ubuntu.com/UbuntuGNOME/) exists which uses the Gnome UI. Xubuntu (http://xubuntu.org/), and Kubuntu (http://kubuntu.org/) also exists which uses the XFCE UI.

5. Debian
This OS is more for the geeky community. It’s more bare bones and doesn’t come with a software center making it harder to find software for the normal user of a computer. It has great privacy and provides multiple UIs, I recommend you try the different UIs in a virtual machine before using. I personally like Gnome and the standard Debian UI which is chosen by default.

6. Arch Linux
For the true geek. You have to know Linux to install the OS. They have tutorials that teaches you what you need to know to install, but you will likely get lost if you don’t know much terminal. You start off in a terminal, you have to format and install onto a hard drive manually, you have to configure the internet manually, you have to install a UI manually, it’s really is for the true geek. You get the best privacy and security with this OS though because they have packages always up to date which means you get security updates really quick. Some things requires you to use the user repository which is hard to use unless you have yaourt installed.

7. BSD Variants
I have not tried NetBSD, PC-BSD or OpenBSD, but I’m assuming it’s similar to FreeBSD. These are true UNIX solutions which means many of the programs that works on Linux will also work on these systems with minor or no changes to the code. The only issue I have with BSD is I do not know how well support is as it’s even less popular than Linux. Mac OS X has some things based on FreeBSD like the user space and Juniper (a commercial router company), and Netflix uses FreeBSD as their core OS.

From what I’ve seen, installation is similar to that of Arch Linux, so it’s not made for the common user who doesn’t know much about terminal.


For the best privacy, I recommend Arch, BSD, Debian, Linux Mint, or Elementary OS.

You can test any of the Linux operating systems I have specified with Virtual Box (https://www.virtualbox.org/) which is an open source virtual machine environment for almost every OS.

Before installing, make sure to backup any important files as you may accidentally or intentionally delete them.

When you want to install to a system, simply burn the ISO to a disk or use YUMI (http://www.pendrivelinux.com/yumi-multiboot-usb-creator/) to put onto a USB drive and boot off the installation media.

Installation steps are different if you want to dual boot with your old OS or if you want to single boot into the newer one. Single boot is always the easiest method.

I need a better lens.

Even my new lens is not good enough for the moon. I need a telescope with a t-ring and a t-ring adapter for my camera. The camera has great resolution, just not great zoom.


Photos from Colorado

DSC04998 DSC04999 DSC05010 Panorama


I haven’t posted in a long time, so may as well post images of my desktop internals.

They have nice specs. They run UNIX/Linux 90% of the time. The gaming machine is the only machine that runs Windows and it runs it with the web browser sandboxed and in an standard user account. I don’t want those drive by sites taking over the machine. Usually when I download something for it, I download using UNIX/Linux and scan it before moving to the windows side. Something you will learn about me is I can’t trust windows.

Photo of media server.


Photo of gaming machine.


Find a Girl Friend

You can do anything in Linux

« Older posts Newer posts »

© 2020 Mr. Gecko's Weblog

Theme by Anders NorenUp ↑