In some countries, you aren’t allowed to surf freely on the internet. Sites are censored, your traffic is monitored, your privacy and freedom are limited. Tools like the Tor browser help to bypass these internet blockades, but they rely on Tor-proxies. Running a Tor proxy takes some dedication and a certain technical background, but with the Snowflake project, anyone can help and be a part of the Tor network without effort.
All it takes is installing the Snowflake plugin in your browser, and you are set. When it’s active, you’ll be a middle-man getting restricted content from the web to censored users using the Tor browser. Don’t worry, there’s never a direct connection between you and whoever requested the page. It’s all routed through the Tor network, which anonymizes the traffic.
The plugin works on Chrome and Firefox. If you want more detailed info, check out the Tor wiki. You can even run a standalone version in Docker if you want to go full geek. ;)
So if you feel like giving some authoritarian dictator the finger, go ahead and install the plugin in your browser.
GitHub has a cool feature called Dependabot. It automatically checks any repositories for potential security problems with the dependencies it’s using. For .NET projects, that means it will check if you have any NuGet project references that should be updated, because of security issues. This is all great and awesome, but what if you have this huge in-house project that isn’t on GitHub, and you would like to run Dependabot on it? Uploading the whole codebase to GitHub is one option, but that might not be what you want to do, or are even allowed to do. If anything, you don’t want to get involved with the legal department, right?
Well, there is a little hack you can try. Dependabot simply checks the packages listed in packages.config of your projects, so if you create a new .NET project, and add all dependencies of your big project to the new project’s packages.config, you are set.
If you have a lot of projects, you can use this PowerShell script to merge all packages.config files in your sub folders into a single one. Paste the lines below into a .ps1 script, and run it from your project’s root folder to merge all packages.config files.
# Get all package lines from the packages.config files
$lines = ls packages.config -r | get-content | where { $_ -like "*<package id=*" } | sort | unique
# Group them by package, and take only the first entry per package, to avoid the same package being listed with different version numbers. The lowest version will the the first.
$lines = $lines | % { new-object -type psobject -property @{ package=($_ -split '"')[1]; line=$_ } } | group -property package | % { $_.group[0].line }
# Write the merged packages.config file.
'<?xml version="1.0" encoding="utf-8"?>',
'<packages>',
$lines,
'</packages>' | set-content all-packages.config
Afterwards, copy the all-packages.config file over the package.config of your new project, and upload that to GitHub. Then configure Dependabot on your fresh repository (see Settings > Security & Analysis), and pretty soon you’ll be getting a report on any potential issues with the packages you’re using.
I’m sure the same trick can be used for other types of projects, like JavaScript and Python, as long as you have some sort of configuration file that lists the package you are using.
Facebook is probably the worst social media company out there, so it makes sense you don’t want their apps on your phone. But unfortunately your less privacy concerned friends are all gleefully using Facebook and Messenger and you don’t want to miss out.
I understand your pain. Here’s a simple guide to still use Zuck’s book on your phone, without the dreaded apps.
Step 1: get a new browser app
We’re going to use the mobile site, which works quite well. To separate all the Facebook traffic from our regular surfing habits and keep Zuck from snooping on us, we’ll use a completely different browser app.
Head over to the Google Play Store and search for “browser“. You’ll see a big list of browser apps, so you just have to pick one you’re not currently using. You are most likely using Chrome as your main browser, or the Samsung browser if you have a Samsung phone, so you can go for Firefox or the DuckDuckGo Privacy Browser as your alternative. Both are good browsers, and I’ve used them both for faking the Facebook. I even use Firefox as my main browser.
Step 2: open your newly acquired browser app, and surf to facebook.com.
After you log in, you’ll be able to use the mobile site pretty much like the app. Now, since this is a separate browser, you just leave your Facebook tab open. Next time you start your dedicated browser app for Facebook, you’ll be logged in already. Easy-peasy. Just don’t use this browser for anything else. If you do, Zuck will be able to follow you around on every site that has anything enabled related to Facebook or Instagram.
Step 3: set up messenger.
Messenger sucks because they want to force you to install the app when you use the mobile site to check your messages. There is a way around this though. Messenger still works on the desktop site aka your PC/laptop right? So we just have to tell Facebook we’re using that from our phone. You can do this by going to facebook.com in a second tab on your new browser. Now, you click the 3 dot-menu in the menu bar and activate the “Desktopsite” checkbox. The page will refresh and look pretty much the same, but now it thinks you’re visiting it from a desktop PC. Now open the Facebook hamburger menu, choose Messenger and voilà, there you have all your messages and contacts.
The trick is to leave this second tab open on your phone as well, so you have quick access to your messages whenever you like. After not using it for a while, you might end up with a message telling you to install the app again. This is because the tab refreshed and is back in mobile-mode. When this happens, just go back into the 3-dot menu of your browser and check the “Desktopsite” checkbox again. After reloading the page, you’re set again. A minor inconvenience for the added privacy of not having Zuck’s spy-apps on your phone if you ask me. ;)
Step 4: change the icon.
If you want to get fancy, now is the time to long-press the icon of your now dedicated Facebook-browser app and change the icon to… the Facebook icon perhaps? I also change the name to something more appropriate, like Fakebook for example.
Step 5: convince your friends to not use Facebook, WhatsApp or Instagram.
Thinking about using a password manager that is free, secure, and you have your doubts about the online ones? Well lucky you, this is just the post you are looking for. With all these hacks and breaches going around, you shouldn’t be reusing passwords and you know it. Instead, you can let a password manager generate long and gibberish-like random passwords for all your logins. That way, hackers have to throw a thousand cores and millions of years at it before they can crack them. If they crack one anyway, it won’t matter much because it will only work on that one site. Trusting all your passwords to a piece of software? Is that a good idea? What about if I need my passwords on another machine, or my phone? What if I’m on vacation? I’ve been storing all my passwords in KeePass for many years now, so I’ll share my setup. You can use this as inspiration to set up your own KeePass flow.
Why KeePass
There are a few cloud-based alternatives out there, but when I started with KeePass those weren’t around yet, or I didn’t know about them. I thought about switching to one, but eventually didn’t because:
They are not free or have limited free-plans.
They are using proprietary software, so you can’t tell how they work and if they really do store your passwords safely. KeePass however is open source and has been audited for security in the past.
The database format is not open. KeePass is open source, so there are multiple clients for all OSes available that can work with your KeePass password database file. If you don’t like one client, just look for something you like better.
Storing all your passwords on a server owned by someone else without a local backup sounds like a bad idea to me.
Some can’t be used for things other than websites. Like desktop app credentials. Or even SSH logins and other weird and geeky stuff you need random secrets for.
Yes, they are slightly more convenient and look a bit more polished. But for me, that doesn’t weigh up against the extra control I get with KeePass.
Installing KeePass
KeePass exists for Windows, Linux, macOS and Android. It’s a typical installation. If you’re as geeky and paranoid as me, you download it from the main site, and you check the md5 hash of the installation files. That way, you’re 100% sure you didn’t download some altered or hacked version. It hasn’t happened with KeePass before, but it did happen to the Linux Mint ISO’s at one point, so you can never be sure.
There is a getting started guide on the KeePass website that guides you through setting up and creating a first database. This Lifehacker post does the same thing and also has some nice screenshots for guidance.
There is also the great cross-platform client KeePassXC for Windows, Mac and Linux, if you tend to swap between different OSes. It looks nicer, and it has browser integration built in, which might be something you are looking for.
Securing your password database
When it comes to securing your password database, you have to make sure your master password to unlock it is of course a pretty damn good one. It has to be as long as possible (at least 10 characters, but more is better), higher case, lower case, number, special characters, the whole shebang. On top of that, you’ll have to be able to remember it too. So I guess this is one of the hardest bits. There are tricks to make this easy though. Think of a good phrase you can easily remember. Or any list of words. Take the first or first few letters of each word, mix it up with some special characters, and you end up with something hard to crack and easy to remember. Or just come up with a good passphrase of random words you can remember. Don’t use Correct Horse Battery Staple or a popular lyrics phrase because they are probably in some password list database already. You can use a word list to generate a random password using the EFF word lists and some dice, or use one of the many generators online.
Just be original. Or try anyway.
Small steps
When I started out, I didn’t trust KeePass enough to dump and change all my passwords from day 1. I started out simple, by adding new sites I registered to and use randomly generated passwords from the built-in password generator. Later I added sites I frequently used and changed their passwords to more complex ones. Now everything is in there. But not every password is random though. Really important accounts I have in my head too, using a unique, complex password that I can still remember. Really important accounts also have 2-factor authentication activated, so even if a hacker finds the password, they still won’t get in. Knowing those key passwords is also a fallback in case I don’t have access to my KeePass DB for some reason.
Syncing the DB
Now you want to use this on more machines than just your laptop, I guess. There are a few options:
You put the DB on a thumb drive you always have on you. This is a good backup too. You can use PortableApps or a portable KeePass version on the thumb drive and use it anywhere like that.
You sync the DB to your favorite cloud drive and sync it to every machine you want to use it on.
I use Dropbox myself which is great for this to sync between home, work and my phone. OneDrive would also work, as it works pretty much the same way. There are also a number of plugins for KeePass to sync to Google Drive, FTP, and other online providers, so I’m sure you’ll find something you like.
On your phone
If you want access to your passwords on your phone, you’ll need some extra apps. I use Android myself, but I’m sure the same apps exist for iOS. You will need 2 apps, one to be able to open and use the database, and then something to sync the file to your phone. Unless you do that manually, but I wouldn’t advise it.
To use the database, there are plenty of options when you search for KeePass, but the best one I’ve used so far is Keepass2Android.
For syncing the file to my phone, I used to use Dropsync. This syncs a Dropbox folder to a folder on your phone. You can use the free version if you’re only setting up 2 folders. You can also use the Dropbox app itself and mark the file to be available offline, but I’ve noticed this doesn’t always work. I often ended up with an old version of the database when I needed it. Nowadays, I’m using FolderSync, which can sync probably any cloud provider, and use protocols like FTP, SMB, WebDAV etc. It’s great.
Extensions
KeePass has a ton of plugins allowing you to customize it for all sorts of things. There are plugins to have it integrate in your browser, synchronize files over all sorts of protocols and services, export, import, add visual features and whatever.
I use as little plugins as possible, though, as each plugin has access to your database and can be a possible vulnerability. Yes. Tin-foil hat here. But LastPass’ Chrome plugin leaked your login credentials a while ago, so there you go.
By using the standard keyboard shortcuts on PC, you can get a long way already. Be sure to check out the Auto-Type override documentation if you have a website which isn’t playing nice with the defaults. You can find a way to get it to work for 99% of the websites out there. The other 1% just have really shitty UX.
The Electronic Frontier Foundation is on the fore-front when it comes to defending our digital rights. Even as a European I think they are doing important work even though they are mostly US centric. This because whatever happens in the US ripples over the pond and affects Europe and the rest of the world anyway. That means that next to larger fast-food portions increased digital surveillance is on its way to the EU as well.
Next to protecting our digital rights they are the author of a number of awesome security plugins and tools like the HTTPS Everywhere and Privacy Badger browser plugins and a driving force behind the Let’s Encrypt free web site certificate tool set.
