Posted on

Data Privacy: an utopy in a distophyc world.

There’s no such thing as data privacy. Every single company will sell your data one way or another. Your mobile carrier, Facebook, Google, Apple, Amazon, your favourite local (online or offline) store, even your government !

Almost everything that you use these days needs information about yourself. Location, email, mobile phone number, credit cards, bank accounts, passports, national id documents and so on.

Remember how Pablo Escobar has been caught ? Triangulation, baby !

“…used high-powered antennas to calculate the general direction of his transmission during a phone call with his son. Once this first bearing was charted and visually confirmed, roving pairs of high-tech surveillance vans crisscrossed the streets of Medellín in search of the strongest hits on Escobar’s frequency. When the operators’ equipment calculated the area where all three lines intersected, the race was on to close the distance … where a block search finally yielded Escobar’s precise location.” Wired.com, Sep 2016

This happened almost 30 years ago when military GPS was in “beta version”, when there were no smart devices and no Gigabytes.

Now take all the time you need and think about data privacy in 2019.

Posted on

Ice Age

I come from the ice age. I have started what it is called today “web development” during the first release of PHP 3.0 and ASP 3.0. That happened in the previous millennium. In the previous century!
 
Back then IE had more than 95% of the market.
 
Until ~2010 it was a complete nightmare to develop front ends. You had to develop special cases for IE. Paddings? Margins? Overflows ? Give 10px to IE and he will eat 2 of them. I can write for days about those nightmares but the memory of clients using IE 6 (worst: IE5.5) in 2010 still gives me creeps.
 
When Chrome came into the picture, it was the best thing it could happen. It was the heaven on earth like jQuery was (and is) for a JS frontend dev. I was among first people who said: Use IE to download Chrome or Firefox!
 
So if you ask me, a unified browser would be the perfect future. I would ask Google, Microsoft, Firefox and Apple to agree on the f*****g specs and release the first unified version of “Gomfa Browser” (or whatever acronym suits their ego)…
Posted on

SSL certificates: Let’s Encrypt

In this post I’ll explain how to install free SSL certificates for your website, using Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Platform: Ubuntu 14.04, Nginx and OpenSSL, SSH root access

Step 1

Download Certbot (ACME Client Implementation) for Let’s Encrypt:

$ sudo su
$ cd ~
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ ./certbot-auto

Executing ./certbot-auto will first install all the requirements.

Step 2

Generate Strong Diffie-Hellman Group. To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 3

Allow requests to Nginx, to read from . directories. Add the following lines to your /etc/nginx/sites-enabled/siteconfig*:

server {
# ... snippet start
        location ~ /\.well-known/acme-challenge/ {
           root /usr/local/acme-ssl/;
           index index.html index.htm;
           try_files $uri =404;
        }
# ... snippet end
}

*siteconfig is the file name of your enabled site. eg: mydomain.net.conf

Step 4

Create /usr/local/acme-ssl/ directory and chown it with Nginx user (usually www-data):

$ mkdir -p /usr/local/acme-ssl/
$ chown -R www-data:www-data /usr/local/acme-ssl

Step 5

Generate a certificate using Certbot

$ cd ~
$ ./certbot-auto certonly --renew-by-default -a webroot --webroot-path=/usr/local/acme-ssl/ -d domain.tld -d www.domain.tld

Certbot will save certificate information in /etc/letsencrypt/live/domain.tld directory.

Step 6

Enable SSL by making modifications to your /etc/nginx/sites-enabled/siteconfig* file. The new file should look like this:

server {
	listen *:80;
    	server_name www.domain.tld domain.tld;
	return 301 https://$host$request_uri;
}

server {
    listen *:443;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    server_name www.domain.tld domain.tld;

    # rest of your server {} block goes below ...
}

Step 7

Test Nginx configuration and reload reload it:

$ service nginx configtest
$ service nginx reload

That’s it. Now, when you access http://domain.tld you should be redirected to https://domain.tld/ having a valid certificate.

P.S. Let’s Encrypt certificates are valid for 90 days only. You should create a cronjob that runs twice a day and will automatically renew your certificate. Example cronjob: 

30 6,23 * * * /root/certbot-auto renew --quiet --no-self-upgrade
35 6,23 * * * /etc/init.d/nginx reload

This cronjob will run twice a day: at 06:30 AM and 23:30 (11:30 PM) and will renew all the certificates that are about to expire. At :35 , Nginx configuration will be reloaded in order to use the new certificate.

Posted on

Youtube sucks. Or why we should kill it !

I am honestly tired of Youtube’s aggressive advertisement. Really now … guys … we are eating ads all day. On TV, on the street, listening to FM, reading online news and more.

Lately, in Spain, at every 1-2 videos I have to mute my speakers and switch tabs in my browser. Not only that most of the ads are 19-22 seconds and you can’t skip them, but they are also completely unrelated to my preferences. Youtube … PLEASE, pay some respect to the users that are feeding your bank accounts.

I understand and I agree that every company should find a way to make profits. But if this aggressive advertisement on Youtube is a reaction on the company’s low KPI, then you should rethink a little bit your business strategy.

Until then, with respect, YOU[suck]tube !

Posted on

Force a logout shortcut, in Ubuntu

If everything is blocked / freezed, you can try this:

CTRL + ALT + F2

After this, you will be asked for your username and password to login. Type them then type this:

$ killall -u  [your-username] gnome-session

That’s it. Of course all your unsaved data is lost !