Show idea in the wake of FCC changing privacy laws for ISPs

[G+_Austin Clark]

Show idea in the wake of FCC changing privacy laws for ISPs

 

I've thought about purchasing a VPN service (mostly as a finger to ISPs) but the issue I have is I access a lot of my gear while remote. I have a plex server, NAS, video stream of my 3D printer via octopi, PCs, ect.....

 

It would be great to do a video on how to set up a router to divert browser, torrents, Netflix through the privacy VPN but still access your home network via DNS entry.

[G+_Pat Hacker]

Yes

[G+_John Mink]

Agreed, I sent up openVPN on a pfsense router, but it takes a bit of fiddling about!

 

Divying up the network would be MUCH more fiddling :p and would definitely make a good show!

[G+_Steve Martin]

This is an excellent idea. Along with other mitigations that people might do to stop the tracking.

[G+_Travis Hershberger]

TOR, and don't forget to change the DNS to a DNSCrypt server!

[G+_John Mink]

TOR sounds great on paper, but often disrupts things in practice....

 

But hey, no reason not to make that one of many options!

[G+_Ben Reese]

I'd like to see several options built into a router with options for static routing. So...

Online backup -> normal WAN

Video streaming -> transparent proxy

Banking -> private VPS VPN

Social networks -> private VPS VPN

Downloads -> Tor

Everything else -> Public VPN service

 

Should be doable with OpenWRT and still allow inbound connections (or those could be routed through the VPS VPN), but processing power would be an issue. Would almost definitely have to be a home-built router like Benjamin Webb? has or pfSense.

[G+_Peter Hanse]

VPN is only as good as you trust the VPN provider. It just shifts all your traffic to different single exit point. TOR seams better option as it shift your tragic to many exit points. That is my basic understanding but I would like to learn more so would be a good show Cross between KH and TWIET (This week in enterprise tech)

[G+_Austin Clark]

There are a number of quality VPN providers with fast connections. Knowing how much the government is watching exit nodes on TOR, I wouldn't use them unless I had other methods the anonymous on top of that. Realistically a quality VPN and understanding you aren't 100% anonymous is best.

[G+_Ben Reese]

Peter Hanse it's been a while since I've used Tor, but I believe you still typically have a single exit point - and that's necessary for TCP connections. I suppose it'd be possible for each TCP connection to have its own exit node, but I'm not sure that's how it's designed.

 

Your system decides the route before the data is sent. The public cert for each node is used to encrypt the data in layers. Then, as the data travels through the route, it's unwrapped by each node until it gets to the exit node and goes out as plain text. In that regard, you HAVE TO trust your exit node.

[G+_Peter Hanse]

In all this it is trust of exit node. I believe this is why their is push for Encryption on all websites. Google down rates you if you do not have HTTPS on your site.

[G+_Ben Reese]

Peter Hanse and with LetsEncrypt, there's almost NO reason not to encrypt. I say "almost" because most of the hosting providers still charge for SSL even if you're using LetsEncrypt.

[G+_Peter Hanse]

Ben Reese even with SSL we have to trust root providers. Just heard store that google chrome is having issue with Symantec root due to them issuing certificates they should have not. What is even better is our government (USA) websites use their own root that is not recognized by web browsers so you have to add their root and remove checking for revoked certificates.

[G+_Travis Hershberger]

Peter Hanse Uhm, after adding a root cert, you shouldn't have to disable checking on other sites.

[G+_Peter Hanse]

Here is what I got from our USA government when I asked about root certificates not being recognized.

 

We are pleased to inform you that your reported Incident/Request has been resolved.

 

Reference No.: INC000005177259

Priority: Low

Summary: WAWF SETUP

Notes: I am contacting you because WAWF has bad Security certificate and no longer allows access for Mac OS X due to lack of Valid Security certificate.

When will WAWF get valid Certificate. We at Company name have policy of not allowing access to sites with Invalid certificates.

 

Your reported Incident/Request has been resolved with the following resolution:

The certificates on our web site are valid, your browser settings are keeping you from seeing that because they are military certificates. Please change the settings according to the instructions below and you should no longer see this erroneous message.

 

These instructions were written for Internet Explorer but your IT department should be able to easily convert them to other browsers. Make sure the person going through these steps has Administrator rights to the computer.

 

Users that don't have the root and intermediate certificates loaded in their browser will most likely see a message that there is a problem with the web sites security certificate. There should be an option to continue or to exit. The user can choose to continue and they will be brought to the banner page as normal. To resolve this error the complete the Machine Setup located under the Help/Support link at the top right corner of the WAWF web page.

Some users may not see the option to continue to the website or proceed past the browser security prompt. To resolve this try the following:

 

Note. Some users may require administrative permissions or assistance.

 

1.) Verify the TLS Settings are correct. - TLS 1.0 and 1.1 should be checked and TLS 1.2 should be unchecked

 

2.) Clear the browser's temporary internet files can cookie cache. If presented with the option to preserve favorite’s website data this option should be unchecked.

 

3.) Verify the system date and time are correct

 

4.) Uncheck the options for Check for publisher's certificate revocation and Check for server certificate revocation.

a. Open Internet Explorer.

b. Click on Tools, Internet Options from the menu.

c. Click on the Advanced tab and scroll down to the Security section.

d. Clear the boxes for: Check for publisher's certificate revocation and Check for server certificate revocation.

e. Click Apply and OK.

f. Restart the computer and check the issue.

 

5.) To download the DoD CA certificates:

a. Go to: http://iase.disa.mil/pki-pke/Pages/tools.aspx

b. Select the heading for “Trust Store.”

c. Under the heading for “InstallRoot 5.0 NIPR Windows Installer,” please select the link for “Non Administrator.”

d. You will be prompted to Open/Run/Save the installation file, “InstallRoot_NonAdmin_5.0.msi.” The need to save is not required, so it is your preference on which of the available options you choose.

e. Upon opening the InstallRoot_NonAdmin_5.0.msi file, you will be presented with the InstallRoot Setup Wizard. Simply choose "Next" after reading each step of the Wizard.

f. When prompted to select the features you wish to install, ensure that *at least the "Graphical Interface" is checked. Afterwards, click on "next" and then "install."

g. After the installation of the tool is complete, click "Run InstallRoot" and follow the prompts.

[G+_Peter Hanse]

May be a 3 way show between KH, TWIET, and Security Now

[G+_Ben Reese]

Peter Hanse that's fantastic! I remember venturing into a .mil website a while back and reading disclaimers that connecting to the site gave them implicit permission to confiscate or remotely search my computer - or something to that effect. Seems like they wanted me to install a root cert then too... No thanks!

 

You're right: it's all based on a chain of trust. If any link is weakened, the whole chain is compromised. I almost feel bad that Symantec is getting spanked so bad, 10k bad certificates is a big deal!

[G+_Peter Hanse]

Ben Reese I personally have not trusted Symantec for long time back to when their virus scan become bloated. One of the reason I went to OS X in our office.

[G+_Travis Hershberger]

Peter Hanse All that tells me: Never use that web site.

[G+_Fr. Robert Ballecer, SJ]

Psst... that's today's episode. :)

[G+_Travis Hershberger]

I have no cell signal where I'll be driving when you're live today :(

[G+_Ben Reese]

Psst... They're not actually live on Mondays.

[G+_Jason Marsh]

Travis Hershberger That only works if you're not associated with the .mil domain. Otherwise, you MUST install the DoD Root cert to get your work done. Since retiring five years ago, there are no DoD certs on any of our machines, and we only use sites that don't require DoD certs. I wish I'd had the forethought to backup my PKI keys when I retired, though, because some of my old mail I've held onto is unreadable now. Not that I really need that old data, but those were MY keys, dang it!

[G+_Travis Hershberger]

Jason Marsh The DoD is known to have horrible security policies that take no human factor into account. Honestly, if any agency should be in the "post-password" era, I'd think they'd want to be.

[G+_Jason Marsh]

Travis Hershberger Trust me, I know. As the sole desktop support, data manager and information systems security officer for an organization with about 600 employees, data management was a pain. Come the summer surge, count in a few hundred reservists, and it's no wonder I started balding those last few years. Most days I was teaching, so all that 'puter stuff was mostly handled at lunch, at night, or on the weekend. I stopped carrying my cell to work out of necessity.

 

100% of the problem was the humans. Everyone wants access to everything, and nobody understands why they shouldn't store personnel records on the shares. Cleaning that up was like a perpetual game of whack-a-mole.