Category: Security

Review: It Appears That uMatrix Is Back Under Development

This article is a bit of a review of some software called ‘uMatrix’. If you’ve never heard of it, it’s an impressive piece of software – especially considering it’s a browser extension.

I was nosing around some old projects in my GitHub when I decided to look upstream. Lo and behold, Ray Hill (gorhill of uBlock Origin fame) has picked up developing uMatrix again. (Install through your browser’s extension manager. Links below.)

What is uMatrix? GitHub page here.

Well, do you remember old school firewalls where you could not just block things by application, you could be even more refined – like narrowing it down to which port, ingress or egress, and even which domains that application could connect with?

Imagine something similar to that, except it’s for your browser. For each page, you can elect to block images, CSS, cookies, scripts. Then, you can decide which scripts and which CSS to allow through. You can elect which third party assets load, from cookies to images – and you can do so on a domain name basis.

There’s a learning curve. It’s a pretty big learning curve for a browser extension. Plan on a couple of hours to really get used to it – and to get your favorite sites configured. You need only configure them once and then you can backup the settings so that you can use it on multiple devices or put it aside for safekeeping. 

It WILL break sites. You WILL get frustrated.

More About uMatrix:

If I took privacy serious and were more security focused, I would not use the internet without uMatrix. As it stands, I have an older version (now updated) configured in one browser for when I want to visit stuff I absolutely don’t trust. If you take privacy serious (and cross-domain scripting, third party cookies are a huge no-no, but so shouldn’t images and CSS files) then you really, really should take a look at this extension.

Take a look at this:

uMatrix in Opera.
Look a little daunting? You can figure it out. I have faith in you!

In each of those columns, you can click to block it everywhere or to allow it on this one specific domain. As you can see, there’s everything from cookies to CSS, from media to scripts. The refinement you can achieve is amazing. It will take some work and time for you to ‘get good’ with uMatrix.

Now, you basically want it to operate in the default configuration you have it in right after installing, only allowing CSS and images from the domain you’re visiting.

When a site refuses to work properly, you can start by allowing scripts on an individual basis – on the per-site basis you see from the domains listed on the left. You can click on two areas in each column to give fine-grained permissions. After a while, you can get pretty quick at deducing why it doesn’t work. It’s usually a script from another site that needs to be enabled.

You’ll also learn how much cruft the web has, browsing much faster and having fewer scripts chew up your CPU and RAM. If you have a low-end computer, this is also a must-have.

At one point, Hill had stopped working on the project and shuttered it. I’m not sure when he started working on it again. I’m glad they did because it’s the best privacy and security browser extension I’ve ever seen in my life. Now that he’s working on it again, I feel comfortable recommending it.

uMatrix Review:

Really, I wrote this to share my joy. If I had to review it, and I guess I have to, I’d give it a solid 9.5 out of 10. I’ve deducted a half point because there’s no effort to make it all that intuitive to new people and this makes the learning curve harder. It’s hard to explain, but once you see what it does you will understand it better.

Not even I can make it all that intuitive until you actually test it out and start browsing the web with it. If you get frustrated, settle down and relax. You can make it work. It will take some time to get used to the new paradigm. You can browse much faster (more so than from just blocking ads) when you’re not loading a bunch of 3rd party cruft.

You might as well know where to get it. It’s available for the two major browsers, plus in Opera’s own little extension store. These extensions work fine on same-family browsers, like Pale Moon or Google Chromium.

You can pick it up for Opera here.

Of course, you can pick it up for Firefox here.

And you can pick it up for Google Chrome here.

Give it a shot. Commit to browsing with it for a full day and see for yourself what the web is like when  you’re not loading tracking cookies, scripts, ad images loaded from other domain names, and so much more.

By the way…

I worried more about these things years ago, back when I was a Windows user and for the times when broadband wasn’t a realistic option. I was more concerned with my security and letting scripts load in the browser, so I’d use uMatrix. It had the added benefit of doing a great deal to protect my privacy by making it extremely difficult to track my movements across the web. These days, browsers are much more secure and run in their own containers and I care less about privacy.

Even just blocking remote scripts, media, and images will speed up your browsing noticeably. By the time you have it configured for the sites you visit, you’ll have a pretty secure and private browsing experience. You should also consider making it work in incognito mode if you make regular use of private browsing.

Closure:

There you have it, another article. This one is a review of uMatrix, one of my favorite browser extensions even though I don’t actually bother with it for most of my browsing. I used to browse with it exclusively, but I’ve given up caring. If you care, and many of my readers do, then I highly recommend trying it for a full day. Commit to a full day and then leave a comment telling us of your experiences.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Review: MetaClean (Clean Exif/meta Data From Email Attachments Automatically)

Today’s article is about MetaClean, a Thunderbird plugin that you can use to automatically clean Exif (and other meta data) from email attachments. This is not the type of article I usually write, but it’s a very interesting extension for the Thunderbird email client. It’s good enough to help make folks aware of it.

Just the other day, I updated this article:

How To: Sanitize Exif Data From Your Digital Images For Privacy Sake

The update was largely a link that went to a study regarding the privacy implications of Exif data. If you’re unfamiliar with Exif data and its importance, I would strongly encourage you to read the article. I’d also strongly encourage you to read the linked article. If you’re concerned with your privacy, or are regulated to be concerned with the privacy of others, this might just be one of the best extensions you’ve ever used.

See, Exif data is just one type of meta data. Lots of files, from pictures to text documents, contain meta data. For example, a file generated by a rich text editor (such as LibreOffice) will contain your username, may contain a record of edits, and may contain a list of usernames that have also edited it. Meta data contains all that and more.

Enter MetaClean…

Note: MetaClean is a proprietary product with an enterprise/business solution that offer their services free for personal use. It’s a closed source product and using it means you trust them to perform the services claimed and adhere to their claims.

The file remains on the server for the time necessary for its processing, depending on the size of the file the processing time varies from 10 milliseconds to 600 milliseconds, after this time the file is removed and it will be impossible to restore it (GDPR compliant).

Read on to learn more about using MetaClean.

MetaClean Automatically Removes Meta Data:

It’s easy enough to add MetaClean to Thunderbird. Just click on Add-Ons and Themes, and then in the search box put “MetaClean.” The search result should contain the extension and you can install it with a single click. It’s remarkably easy.

MetaClean basically uploads all of your attachments to their own server, strips out the meta data (but will leave their own branding in the field, for free users) and then returns the sanitized file to your computer before the email actually sends. I tested this with a number of files and it’s amazingly fast.

Again, it requires that you trust them – and not care that they leave a comment in your meta data. The comment is harmless and won’t lead to you in any way. Your privacy will not be compromised.

Here’s the amazing thing, it not only does all that – but it even works on compressed files – though it only currently supports 7Zip and .zip formats. With them supporting Thunderbird (and it working fine on Linux), we can hope that they’ll expand that to .gz and some folks may like it if it could also work with .rar files. For now, it works just fine with the compressed files I tested.

Meta data is in all sorts of things that you create or touch, though it’s not always a bad thing. It’s sometimes useful to have meta data. I, for one, like to include the ID3 tags with my music files. But, you don’t always want to share the meta data. In fact, in some industries you have to not share it – to be compliant with privacy laws. However, if that’s you, you might be interested in their professional options – where the server that strips the meta data is actually owned and run by you.

Basically, once you’ve added it as an extension, it will automatically sanitize your files – removing any personal meta data from the file. It does this all without any user intervention (once you tell it to automatically do so). If you want to send a file while including the meta information you can also tell the plugin to let that email through with the personal information attached.

Closure:

It’s really that simple. Just install MetaClean and forget it. You won’t have to wonder if you remembered to sanitize your meta data before you sent it. You can be pretty confident that it was sent without that private data still attached. It’s definitely one of the most beneficial and easiest Thunderbird extensions that I’ve worked with lately.

I realize that I forgot to give it a number rating! In this case, it does what it says on the tin. I wish their privacy policy (while excellent) spelled it out a bit better. The tools could be a bit more fine-grained. They could see about adding support for more compression formats. As for the rest, they do great. I’m going to award them a solid 8 out of 10.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Guest Article: Kickstart Vol. II

Today’s guest article is a continuation of the Kickstart theme. The first Kickstart article can be found here. Thanks goes out to dos2unix from the Linux.org forums.

I should mention again that I don’t actually know anything about Kickstart, other than what I’ve read in these articles. I’m extremely grateful, but you may want to check back a few times to ensure all the editing is complete!

Kickstart Vol. II:

Now that we have your web server, dhcp, and tftp server configured, we will need to enable the firewall for them.

On Fedora it looks like this:

Now we need to extract the iso files you have handy (you did already download these, right?) I should have mentioned you will need the “server” version of these iso’s. There is a way to make the workstation iso’s work, but that’s for another more advanced article.

For the example here, I put everything in: 

When that gets done copying, we can add another OS’s iso if you like:

If you have more iso’s repeat the same for CentOS or Redhat or whatever you have.

Again, when it gets done copying, simply umount the iso image. I confess, I’m something of a minimalist. I like short names like pub/fed35srv. If you like long names you could have something like /public/fedora35-server/x86_64/ I’m too lazy to type all of that in all my config files.

Now we will install the boot kernels. This isn’t actually the full kernel yet, just a lite kernel with enough parts to boot the system from the network.

Just about all computers have one of two types of internal configuration systems. Legacy BIOS and UEFI. Most newer computers in the last 8 years or so,are UEFI, but there are still plenty of Legacy BIOS systems around. For the purpose of this article we will set-up for both types.

In your /var/lib/tftpboot directory, we will make two directories. One for BIOS and one for UEFI.

Technically you could rename the efi directory to something else, but the pxelinux for legacy BIOS systems is hardcoded in some files.

Now you will need to download a couple of files. I recommend using the Fedora 35 version, even if you are going to be installing Redhat or CentOS. They are newer, have more features, bug fixes, and support more hardware.

But you can use the CentOS or Rehat versions if you want to. Shim-x64, grub2-efi-x86, and grub2-efi-x64-modules. We will need to extract these rpms. You can do this in /tmp or somewhere safe.

If it says this is already installed, replace install with reinstall. These are the efi files you will need for efi based systems.

This will create 3 directies in /tmp.

You can delete these directories in /tmp if you like, you are done with them. Make sure you don’t put a leading / and actually delete /usr and /etc.

The next part depends on what iso’s you have downloaded and extracted. But hopefully you will get the idea.I am using Fedora 32, Fedora 35, and Redhat 9 as my examples. You can use whatever directory names you like.

That’s enough for this article, will add next part later.

Closure:

And there you have it, another article and this one is a guest article – just like yesterday and probably just like tomorrow. I’m extremely grateful for the respite and wish I knew more about Kickstart. I think, for future reference, I’m gonna ask that folks register and write the draft here. I think it’d streamline it.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Want To See The WiFi Password In The Terminal?

It’s remarkably easy (assuming one can gain access to a privileged account) to get the WiFi password from the terminal. It does generally require sudo or root. It’s literally three commands. It’s the kind of attack you’d possibly worry about in an office where you don’t regularly log out of your device when you leave it. It might be an akin to attack from the ‘evil maid‘, as well, but not just quite. 

It really requires only two pieces of knowledge. The first is how to gain elevated permissions on the device and the other is the name of the network device – usually easy enough to surmise. It’s pretty easy information to get under those circumstances – circumstances we may all have been guilty of. Perhaps we typed a sudo command and then walked off to get coffsssee while it updated itself? Who knows – but it’s really just that easy.

Is it a security issue? Not if your security is any good, it isn’t. But, if anyone has physical access to the device, they pretty much own the device. If your security is any good, nobody should get this far and internal practices would prevent fellow employees from doing much harm. I could speak for hours about security, I just can not seem to do it coherently. 

Anyhow, here’s how you view the wifi password in the terminal.

WiFi Password From The Terminal:

Obviously, you need an open terminal. Just press CTRL + ALT + T and your default terminal should open.

First, you must change to the directory where this sort of information is stored. 

Find the network name (SSID)… You can usually guess that, or narrow it down rapidly on sight, but you can also just find the SSID by typing iwgetid Either way, just enter this:

The password will be happily shown to you in plain text. I’m not even kidding. This is what the whole process looks like and shows you how easy it is:

I am elite hackor!
Tada! There it is in plain ol’ text, easily captured and saved away.

Obviously, I knew the sudo password – I’d have easily figured out the rest. Even if I didn’t, there really weren’t all that many choices and a little tab completion goes a long ways. It’s a good example of why you should lock your screen and logout of your computer if you’re going to be away from it. (Of course, there’s always a risk vs reward thing and it probably doesn’t really matter to most of us.)

Closure:

There you have it! You can now find the WiFi password from the terminal. This shouldn’t ever be a risk, because you already practice good security. But, it’s a fun little trick to know. It doesn’t take a whole lot of effort and it makes for another article. Another one is written and done!

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Automatically Logout Of Your Shell

For security reasons, you’ll possibly automatically logout of your user sessions. If you didn’t know, you can actually do that with your shell, in the terminal. There’s already a variable (TMOUT) just for this reason, should you want to add it as a layer of security.

Basically, for today, we’re going to set it up so that it automatically logs inactive users out of their shell session. It doesn’t log you out of your complete user session, it just logs you out of your shell – after a set period of activity. It even closes the open terminal windows when it does so.

So, depending on the interval you use, you can set it up to log you out of your shell instances after just a few minutes of inactivity. If you have nosy neighbors, like people physically near your computer, it can be a nice way to make sure things are all locked before you head off to the bathroom.

It’s useful for that sort of stuff. It’s just an added layer of security. I think that it is a pretty handy feature. I’ll explain how to enable it on a user-by-user basis and how to make it system-wide, giving you a choice. It’s actually pretty easy, so read on!

Automatically Logout Of Your Shell:

Like most good things in the Linux world, you’ll need an open terminal to take advantage of this article. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open.

Both of these ways are pretty simple, in each case you add some text (using nano) to a profile file. The text in either case is the same. If you want to do it for just one user, the user you’re currently using, then run the following:

Add the following:

So, if you wanted it to be 10 minutes of inactivity before being logged out, you’d use TMOUT=600, because 600 seconds is 10 minutes. As you’re using nano, you can press CTRL + X, then Y, and then ENTER to save the file.

You’ll then force the profile to load, the command taking effect immediately, with this:

If you want to do it with the full system, the online guides will tell you to edit /etc/profile and that it’ll work if you do. My experiences are different and this is tested across multiple systems. You’ll be editing /etc/bash.bashrc, just like you did above but with sudo. (Using /etc/profile has not worked for me.)

Again, you add ‘TMOUT=600″ or however many seconds you want to wait. Personally? I scrolled to the bottom of the file, made a new line, and added the text that way. You could be all professional and add a comment indicating when and why you were there. I did nothing of the sort.

Unlike the first command, you’ll not be able to reload the second method (system-wide configuration) with ‘source ~/…’. As near as I can tell, you’ll have to restart the system for the changes to take place. If someone has a way to load it without rebooting, I’ll update the article. Please leave a comment if you do know of a way!

Closure:

There you have it, another article! This one tells you how to automatically logout from your shell. I’m not sure if it works for all shells, so feel free to test and see what sort of results you get. I’m pretty sure the 2nd option could be reloaded without rebooting, but I can’t think of which command. Which service would need restarting? I dunno?

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Subscribe To Our Newsletter
Get notified when new articles are published! It's free and I won't send you any spam.
.
Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.