Disconnect Your Smart TV from the Internet to Stop Tracking

Automated content recognition isn’t the only tracking issue on TVs, but it’s one of the most startling. Here’s what the marketing industry doesn’t want you to know:

Many TVs have “automated content recognition” technology that detects what you’re watching—even if you’re watching OTA TV or an old VHS tape—and informs marketers.

When this feature is enabled—and it’s probably enabled by default, or after a prompt that really encourages you to enable it without explaining it properly—your smart TV will monitor your watching habits and home phone. To do so, your smart TV will capture sections of video, snippets of audio, still images, or some combination of the three, and upload the data to a “listening post,” as AdExchanger’s guide for marketers explains it.

Even if you never touch your smart TV’s software and you just play video games from a console, stream with an Apple TV, or connect a PC via HDMI, your smart TV is likely watching and phoning home. What do the marketers do with this data? As AdExchanger puts it: “Once the data has been collected, TV analytics companies ingest ACR data and combine it with other data sets to make it more accurate and usable.”

In other words, data about what you’re doing on your TV is combined with other sources of data. These could include your web browsing history, search history, product purchases, and credit card transaction data. That data can then be used to build a more complete profile on you and your TV habits to better serve you targeted ads.

“You Are in Control!”
A man giving a thumbs up in front of a TV.

Of course, this monitoring isn’t happening against anyone’s will! That would be unethical. All the people who have this feature enabled on their TVs are surely informed consumers making an informed decision to share their data with marketers. For example, on a Roku smart TV, you have to head to Settings > Privacy > Smart TV Experience and disable “From TV Inputs” to deactivate ACR features.

We’re sure that all those Roku TV users out there understand exactly what this option does, right? The majority of Roku TV users all really want marketers to know exactly what they’re watching at all times.

That’s one perspective. Here’s another one:

TV manufacturers are only getting away with this by making ACR-related options confusing and buried, counting on TV customers not knowing that their televisions are even capable of this. Case in point: Vizio paid out a $17 million settlement after it was sued for making these options confusing and misleading. Of course, Vizio never admitted that it did anything wrong.

Finally, let’s face it: Smart TVs are cheaper than dumb TVs because of this data collection. Roku makes its money from ads and paid video content, not from selling hardware.

Consumer Reports has a good guide to turning off ACR and other snooping features on smart TVs from a wide variety of brands.

Just Disconnect Your Smart TV and Be Done with It

We could go on about other “features” you might not like, like the interactive advertisements Roku sometimes slips into cable TV programs. But honestly, what’s the point? Why not just prevent the smart TV software from phoning home in the first place?

To do so, just cut off your smart TV’s internet connection. If the TV is plugged into your network via an Ethernet cable, unplug it. If it’s connected to Wi-Fi, have your TV forget the Wi-Fi network. If your TV can’t connect to the network, it can’t phone home. When you get a new smart TV, consider not even connecting it to the network. You probably can’t avoid buying a smart TV, so this at least lets you treat a smart TV as if it were a traditional “dumb TV.” Problem solved!

Of course, this isn’t an ideal solution. If you love your smart TV’s software, you’re making a sacrifice. However, if you only use your smart TV as a “dumb” display for other devices, it’s a great solution. If you do really like your smart TV’s software, be sure to look up a guide for turning off as many privacy-invasive features as you can.

But remember: Other devices often have their own tracking features. Even if you have a streaming platform that doesn’t track your watching habits (like an Apple TV), apps that you run on that platform (like Netflix, for example) will keep track of your watching habits in those individual apps. Still, even if your streaming box is monitoring your watching habits, at least your smart TV won’t be. That’s a win if you want to keep marketers from knowing everything about your life.

[mai mult...]

How to See Which iPhone Apps Are Listening to Your Microphone

Are you worried that your iPhone apps are listening using your device’s built-in microphone? If so, it’s easy to know for sure—and to revoke microphone access if necessary—by checking a list in Settings.

  • First, open the “Settings” app.

Tap the "Settings" icon on iPhone

In “Settings,” tap “Privacy.”

In iPhone Settings, tap "Privacy."

In “Privacy,” tap “Microphone.”

In Privacy settings, tap "Microphone."

On the next screen, you’ll see a list of installed apps that have previously requested access to your microphone. Each app has a switch beside it. If the switch is “on” (green) then the app can access your microphone. If the switch is “off” (or greyed out), then the app cannot access your microphone.

An example list of iPhone apps that can access your microphone in Privacy Settings.

If you’d like to remove an app’s access to your microphone, tap the switch beside it to turn it off. Likewise, if you’d like to give an app access to your microphone, turn the switch on.

In iPhone Settings, to grant or revoke access to your microphone, tap the switch beside the app in the list.

When you’re done, exit “Settings” and your changes will take effect immediately.

It’s worth noting that if you’re running iOS 14 and up, you can tell when an app is using your microphone if there is an orange dot in the status bar in the top right corner of your iPhone screen. (If you see a green dot, that means your camera is in use.)

The orange dot in your iPhone status bar means the microphone is in use.

If you ever feel that an app is using your microphone when it shouldn’t, simply visit Settings > Privacy > Microphone as detailed above and revoke the app’s access by flipping the switch beside it to “off”.

[mai mult...]

Why SMS Text Messages Aren’t Private or Secure

You might think that switching from Facebook Messenger to old-fashioned text messages would help protect your privacy. But standard SMS text messages aren’t very private or secure. SMS is like fax—an old, outdated standard that refuses to go away.

Your Cellular Carrier Can See Your SMS Messages

With SMS, messages you send are not end-to-end encrypted. Your cellular provider can see the contents of messages you send and receive. Those messages are stored on your cellular provider’s systems—so, instead of a tech company like Facebook seeing your messages, your cellular provider can see your messages.

Cellular carriers store the contents of those messages for various amounts of time. Messages are often only retained for several days, but they store metadata (which number sent a message to which number, and at what time) for even longer. These records could be subject to subpoena in legal proceedings—for example, text message records are a common form of evidence in divorce cases.

Compare this to an end-to-end encrypted chat app like Signal. Signal doesn’t have the contents of your communications. Signal doesn’t even know who you’re talking to. Your conversation data is only stored on your device and the device of the person you’re talking to—that’s it. That aside, should you trust your cellular provider with your conversations? Well, back in 2019, AT&T, Sprint, and T-Mobile were all revealed to be selling customer location data to aggregators. It was used by everyone from bail bondsmen to rogue bounty hunters. (After this was reported in the news, the cellular carriers promised to stop.)

Do you want those companies to see all the contents of your personal conversations?

SMS Messages Can Be Intercepted by Criminals
Cellular towers in front of a sunset background.

But SMS messages are used for security, right? There’s a reason every bank and financial institution relies on SMS messages to verify your identity—right?

Well, yes, there is a reason. But that reason isn’t because of security. It’s just that everyone has a phone number. Requiring confirmation via SMS adds some additional security. Even if SMS isn’t particularly secure, it at least ensures that an attacker has to intercept an SMS message in addition to typing in your password.

SMS messages can be intercepted. Mobile phone networks around the world are connected to each other through the Signaling System No 7 (SS7) protocol. This is how your phone can connect to a cellular network and make and receive calls, even when you’re in another country on the other side of the world. The SS7 system has been repeatedly attacked by hackers who have snooped on SMS messages or intercepted them. This is particularly useful when compromising bank accounts, for example—the attackers can snoop on the verification codes that are generally sent via SMS, use them to access bank accounts, and drain them.

This is why security professionals have recommended against using SMS for two-factor authentication. An app that generates codes on your device or a physical security key is much more bulletproof. (However, if SMS is the only option you have available, SMS is better than nothing).

SMS Messages Can Be Monitored by Authorities

Governments around the world have access to “stingrays,” devices that essentially impersonate a cellular tower. When placed near your physical location, these trick your phone into connecting to them (as your phone would connect to a normal cellular tower). The stingray device can then track your movements and see your SMS text messages—just like your cellular carrier can.

Beyond local monitoring, SMS messages can also be swept up in larger surveillance systems. According to documents released by Edward Snowden back in 2014, the NSA was, at the time, collecting over 200 million text messages a day from around the globe.

Other countries’ intelligence services also have access to stingrays and SMS-monitoring technology, so it’s clear why encrypted communication apps like Signal and Telegram are especially popular among activists living under repressive regimes. For example, Telegram and Signal are banned in Iran.

Your Phone Number Is Surprisingly Easy to Hijack

Beyond SMS, phone numbers actually have very poor security—at the carrier level. A scammer can call your cellular carrier or go into a store and impersonate you. If the scammer has enough details and can trick your carrier’s customer service representatives, they can get control over your phone number. They may have the carrier “port out” your phone number to a different cellular carrier—just as you’d do if you were switching to another cellular provider. Or, they may have the carrier issue a new SIM card tied to your phone number and deactivate your existing SIM card, removing access to your phone number.

Now the attacker would have your phone number. With that, they can get access to accounts protected by SMS-based two-factor authentication. For an individual scammer, tricking a customer service person is easier than hacking SS7, after all. This is called a “port-out scam” or “SIM swapping attack.” You can often protect your phone number by adding extra PINs and security features with your cellular provider. Check with your cellular provider to see what security features they offer to protect against port-out scams.

This has happened to quite a few people—enough that the FCC and Better Business Bureau have put out advisories warning about this scam.

iMessage and RCS: Better Than SMS?

An iMessage conversation with blue bubbles on iPhone.

The Messages app on iPhone supports both SMS and Apple’s own iMessage service. On Android, more and more Android phones are gaining support for the more modern Rich Communication Services (RCS) standard. Both are designed to silently “upgrade” text message conversations to more modern, secure ones when both people are using devices that support them. So how do they compare to SMS?

Apple’s iMessage piggy-backs on SMS in a sense, using phone numbers as identifiers. If both you and the person you want to text have iPhones and have enabled iMessage, any text you send will be sent as an iMessage instead. These are end-to-end encrypted and sent through Apple’s servers. You’ll know iMessage is being used because the messages will have blue bubbles. If you see green bubbles instead, the Messages app is using SMS instead—because you’re messaging someone without iMessage, likely a person who is an Android user.

The RCS standard being pushed for Android users—think of it as the Google/Android equivalent to Apple’s iMessage—did not support end-to-end encryption as of January 2021. As of November 2020, Google was working on adding end-to-end encryption to RCS. That means, even with that fancy new RCS system on your Android phone, your cellular carrier can still see the contents of the messages you send, just like with SMS.

The Problems With SMS, Summarized

Let’s quickly summarize the problems with SMS, and compare it to a secure, end-to-end encrypted chat app like Signal.

With SMS:

  • Your cellular carrier can see the contents of the messages you’re sending and receiving. Any collected records could be subpoenaed in legal proceedings.
  • SMS messages can be intercepted by hackers due to weaknesses in the rickety old protocol that powers them. This puts financial and other accounts at risk.
  • Authorities can deploy stingrays to snoop on the contents of text messages in an area.
  • Scammers can try to steal your cell phone number by tricking your cellular provider’s customer service staff.

With Signal, for example:

  • Your cellular carrier can’t see the contents of your messages. Not even Signal can see the contents of your messages or who you’re contacting—that remains a secret. Signal doesn’t collect this data. If forced by subpoena, Signal can reveal almost nothing about your usage of the service.
  • Signal messages can’t realistically be hijacked by hackers. They would have to compromise the Signal encryption protocol, which security experts consider excellent. (In contrast, SS7 has been repeatedly compromised.)
  • Stingrays can’t see your conversations. Authorities can’t snoop on the content of Signal messages—not without getting their hands on a phone that contains them. All they can see is encrypted traffic being sent back and forth to Signal’s servers.
  • A port-out scam that captures your phone number wouldn’t grant access to your Signal account. You can protect your Signal account with a PIN, so a scammer can’t just access your Signal account. Even if the scammer could somehow guess your PIN and access your Signal account, your Signal messages are stored on your phone and wouldn’t be synced to any new devices that gain access to your account.

What You Should Use Instead

Signal apps showing the conversation list and conversation.
Signal

We used Signal as the example here as the contrast is so stark—Signal is the most widely recommended private chat app, with always-on end-to-end encryption.

If you have an iPhone, communicating with iMessage is much more private and secure than using plain old SMS. Hopefully, Android users will one day have secure end-to-end encrypted messages built into their devices after improvements are made to RCS. Unfortunately, iMessage and RCS aren’t compatible with each other, so iPhones and Android phones will have to communicate over SMS—or switch to different chat apps that aren’t built-in.

Other chat apps are an option, too. Telegram is popular, although it doesn’t use end-to-end encryption by default. WhatsApp at least uses end-to-end encryption by default, unlike Facebook Messenger—if you trust a Facebook-operated chat app. But even Facebook Messenger is arguably more secure than SMS—you’re trusting Facebook with your messages, but at least you don’t have to worry about the problems in the ancient, creaky old SS7 protocol.

For two-factor security, it’s best to avoid SMS for really critical tasks. Unfortunately, some services will fall back to SMS authentication anyway—for convenience. There are sometimes alternatives. For example, Google offers Advanced Protection for journalists, activists, business leaders, and politicians who need maximum security for their accounts, and it requires the use of a physical security key. That said, SMS-based two-factor security is still better than nothing.

The Future of SMS: Will It Ever Be Fixed?

SMS is just outdated technology. It clearly was not built with privacy and security in mind, and those design decisions are still with it today. Hopefully, this will be fixed in the future. If RCS becomes more mature, gains end-to-end encryption, and is available in all Android phones—well, then all Apple would have to do is agree to make RCS compatible with iMessage in some way. Then all modern smartphones would have secure messaging that doesn’t depend on ancient protocols built-in.

For now, it’s best to avoid text messages if you’re concerned about your privacy or the security of your accounts.

[mai mult...]

How to Use OpenPGP Encryption for Emails in Thunderbird

Email message and lock icons representing email encryption.
Mozilla Thunderbird recently integrated OpenPGP right into the main application. No add-ons are needed for email privacy. OpenPGP’s world-class encryption is easy to set up and use without additional software.

Thunderbird and OpenPGP

Version 78.2.1 of the Thunderbird email client has support for end-to-end encryption (e2ee) built right in. This integration means you no longer need add-ons like Enigmail. Thunderbird uses OpenPGP for encryption, which is a free, nonproprietary protocol. Based on the freeware versions of Phil Zimmerman’s Pretty Good Privacy (PGP), it’s now very much its own thing.

Thunderbird’s OpenPGP integration allows you to encrypt a message. Then, only the people you want to read your message will be able to do so. It also lets you digitally sign a message so your recipient can be confident the message hasn’t been altered in transit.

OpenPGP uses the principle of pairs of public and private (or “secret”) encryption keys. To use OpenPGP, you must have a public and private key pair. Public keys are shared with anyone to whom you want to send encrypted messages, whereas private keys are never shared with anyone else. Private keys can also be used to decrypt messages encoded with the matching public key.

The sender’s email client generates a random key which is used to encrypt the message. The random key is then encrypted with the recipient’s public key, and the encrypted message and key are then sent to the recipient. The recipient’s email program uses the recipient’s private key to decrypt the random key. The random key can then be used to decrypt the encoded message.

Why not just use the recipient’s public key to encrypt the message? This would work for messages sent to a single recipient, but it would be too cumbersome for those sent to multiple people.

The most efficient way to distribute a message to several people is to encrypt the message using the random key. This is because no public or private keys have been involved at that point, making the encryption on the message person-agnostic.

For each recipient, the random key is encrypted using that person’s public key. All of the encrypted keys are then sent with the message. Each recipient can decrypt the copy of the random key that was encrypted using their public key, and then use the random key to decrypt the message.

Thankfully, once OpenPGP is set up, all of this happens automatically.

We tested Thunderbird’s OpenPGP integration on an Ubuntu 20.10 computer. On a Windows 10 PC, all the Thunderbird menu items, settings, and dialogs were named the same and in the same locations. So, if you’re running Windows, you should be able to follow the instructions below, as well!

Checking the Thunderbird Version

OpenPGP integration arrived in Thunderbird 78.2.1, so you’ll want to make sure you’re running that version or higher. You can use your package manager to upgrade if necessary.

If you use Enigmail, refer to the upgrade instructions on the Mozilla support pages. They include advice about backing up your old Thunderbird profile before you upgrade. This way, if something goes wrong, you can go back to the previous version. By default, Thunderbird 78.x retains the classic three-pane email interface: the accounts and folders in the sidebar, the list of received emails at the top, and the content of the highlighted email at the bottom.

Thunderbird email client default view

If you can’t see the Thunderbird menu bar, right-click the space to the right of the last tab, and then select “Menu Bar” from the context menu. To see which version of Thunderbird you have, click Help > About Thunderbird.

Thunderbird's help about dialog box

We’re running version 78.5.0, so the OpenPGP integration will definitely be present. If this is the first time you’ve used Thunderbird, configure your email address and account details, and then verify that email is functioning normally. You have to have a working email account inside Thunderbird before you can set up OpenPGP.

Generating a Key Pair

To generate a key pair, click “Tools,” and then select “OpenPGP Key Manager.”

Tools drop-down menu

Click Generate > New Key Pair.

OpenPGP Key Manager dialog box

A screen full of options will appear. Click the “Identity” drop-down menu and select the email address for which you want to generate keys. If you have multiple identities configured in your Thunderbird client, make sure you select the appropriate email address. Under “Key Expiry,” select the lifespan of your keys or select “Key Does Not Expire.”

In “Advanced Settings,” you can select the type of encryption and key size (the defaults are fine in most cases). When you’re happy with your selections, click “Generate Key.”

The Generate OpenPGP Key options dialog box

You’ll be asked to confirm that you want to generate the keys for that email address; click “Confirm.”

Key generation confirmation dialog box

After your keys have been generated, an entry will appear in the “OpenPGP Key Manager” dialog.

New key entry in the OpenPGP Key Manager

If you generate keys for any other email addresses, those details will be listed here, as well. To view the configuration of any of the listed keys, just highlight the entry in the list, and then click View > Key Properties.

Key Properties dialog box

Select the radio button next to “Yes, Treat This Key as a Personal Key,” and then click “OK” when you’re ready to proceed.

Exchanging Public Keys

You have to have the public key for each person to whom you’re going to send encrypted messages. They’ll also need yours to send encrypted messages back. There are a few ways you can get someone’s public key. They might send it to you unannounced or you can ask them for it. You can even try to find it online.

Whenever you receive an email with an attached public key, Thunderbird includes an “OpenPGP” button to the right of the email header; click it to import the public key.

Email with a public key attached, showing the OpenPGP button

You might receive some warnings. For example, if the message wasn’t encrypted or digitally signed, you’ll be told so. If you’ve just asked this person to send you their public key, you can be pretty sure this is from them. If there’s any doubt, just double-check with them via text, phone, or any other non-email method.

If you’re satisfied the public key definitely belongs to the person sending the message, click “Import.”

OpenPGP message security dialog box

The name of the sender and their email address will appear as confirmation. Click “OK” to import the key.

Key import confirmation dialog

Some information about the imported public key will then appear. You’ll see who owns the key, the email address associated with it, the number of bits the encryption is using, and when the public key was created.

Click “View Details and Manage Key Acceptance.”

Imported key details dialog box

If you’re positive the key came from its owner, select the radio button next to “Yes, I’ve Verified in Person This Key Has the Correct Fingerprint,” and then click “OK.”

key proprties dialog box

That’s half the battle! We now have Alwa’s public key, so let’s send him ours. To do so, just start a new email to the person to whom you want to send your key or reply to one of their emails. In the email menu bar, click Options > Attach My Public Key.

Email Options drop-down menu

Then, you just type the body of your email and send it as usual. Again, Thunderbird includes an “OpenPGP” indicator at the bottom right of the status bar to let you know the message uses OpenPGP. If the email is encrypted, you’ll also see a padlock icon, and if it’s digitally signed, you’ll see a cogwheel icon.

Email with OpenPGP indicator in the status bar

The options for encryption and digitally signing emails are available in the “Security” section of the email menu bar. You can also attach your public key from this menu.

Security drop-down menu

When you’re ready, just send your email.

Reading Encrypted Emails

Alwa can now reply to you and use encryption. When you receive an encrypted, email you don’t have to do anything special to read it—just open it as usual. “OpenPGP” in the email header will include green checkmarks to verify that OpenPGP has decrypted the email and that the digital signature has also been verified.

Recieivng an encrypted email in Thunderbird

The subject line of an encrypted email will be displayed as an ellipsis (…) until you open it. This prevents anyone from seeing the subject of any encrypted emails you receive.

Encrypted email header replaced by three dots

Some people do make their public keys available online. To upload yours, you first have to export it.

To do so, click “Tools,” and then select “OpenPGP Key Manager.” Highlight the key you want to export in the “OpenPGP Key Manager” dialog, and then click File > Export Public Key(s) to File.

New key entry in the OpenPGP Key Manager

Save the exported file to your computer (be sure to note where you save it). Next, open your web browser and navigate to the OpenPGP Key Repository. Here, you can search for existing keys using the email address, key ID, or fingerprint.

You can also upload your own key. To do so, just click “Upload,” and then browse to the location of your exported file.

OpenPGP central key repository

Once your key is uploaded, people can search for, find, and download or import it into their own email clients. You can also search for online keys in Thunderbird. Just click “Tools,” and then select “OpenPGP Key Manager.” Then, click Keyserver > Discover Keys Online.

When the “OpenPGP Prompt” dialog appears, type the email address of the person you’re looking for, and then click “OK.”

Searching for online keys from within Thunderbird

If a match is found, Thunderbird will offer to import the key for you; click “OK” to do so.

Matching key details displayed in a dialog box in Thunderbird

Keep Your Secrets, Well, Secret

Admittedly, not every email needs to be locked down with encryption and verified by a digital signature. However, for some people—like dissidents in oppressive regimes, whistleblowers, or journalists’ sources—privacy can be a matter of life or death.

[mai mult...]

How to Stop Signal From Telling You When Your Contacts Join

A phone with the Signal logo next to a cup of coffee.

When someone in your contacts signs up for Signal, you’ll see a message saying that person joined Signal. Now you know you can contact them on Signal. If you’d rather not see these notifications, you can disable them.

How to Disable Signal’s Contact Join Notifications

Signal uses phone numbers as addresses you can reach people at. When a phone number in your contacts signs up for Signal, you’ll see a notification telling you they’re reachable on Signal. The name associated with that person comes from the contact information saved on your phone. To hide these alerts, open the Signal app on your iPhone or Android phone. Tap your profile picture or username initials shown at the top-left corner of the Signal conversation list.

Tap your profile logo at the top-left of the Signal app.

Tap “Notifications” on the Signal settings menu screen.

Tap "Notifications."

Under Events, tap the slider to the right of “Contact Joined Signal” to disable these contact-join notifications.

Tap the "Contact Joined Signal" toggle.

That’s it—Signal won’t let you know when your friends, family members, coworkers, or other contacts join in the future. The Signal app will still know, of course. If you tap the “New Message” icon, you’ll see all your contacts who are on Signal, ready to be contacted.

Can You Stop Signal From Telling People When You Join?

There’s no way from preventing Signal from informing people when you join. If someone has your phone number in their contacts, Signal will let them know that phone number has joined Signal. This has nothing to do with whether you allow Signal access to your own contacts.

The only way to prevent this is to use a secondary phone number. Signal is designed to work with phone numbers and to be an easy-to-use replacement for SMS, which is why it works this way. If you want a chat service that doesn’t use phone numbers as identifiers—for example, if you would prefer usernames that don’t expose your phone number—Signal isn’t the app for you.

[mai mult...]

Does Apple Track Every Mac App You Run? OCSP Explained

On a Mac, apps you download—whether from the Mac App Store or from the web—are signed with a developer certificate. Whenever you launch an app, it checks the app to verify that it was signed by a legitimate developer and that it hasn’t been tampered with. This helps protect you from malware.

For example, when Mozilla creates Firefox, it compiles a Firefox application file and then signs it with Mozilla’s developer certificate. This is Mozilla’s way of proving that the file is legitimate and created by Mozilla. If the application file is tampered with afterward, your Mac will notice the difference.

These certificates are only valid for a certain interval of time—perhaps a few years—but they can be “revoked” early. For example, if Apple discovers that a developer is using its certificate to sign malicious apps, Apple then revokes the certificate. Macs won’t load apps with that revoked certificate.

OCSP Explained: Why Does Your Mac Phone Home?

But wait—how does your Mac know if Apple has revoked a certificate associated with an app on your Mac? To check, your Mac uses something called the Online Certificate Status Protocol, or OCSP; it’s also used by web browsers to check website certificates as you browse.

When you launch an app, your Mac sends information about its certificate to an Apple server at ocsp.apple.com. Your Mac asks this Apple server whether the certificate has been revoked. If it hasn’t, your Mac launches the app. If the certificate has been revoked, your Mac won’t launch the app.

Does This Happen Every Time You Launch an App?

Your Mac remembers these responses for a period of time. On November 12, 2020, responses were cached for five minutes; in other words, if you launched an app, closed it, and launched it again four minutes later, your Mac wouldn’t have to ask Apple about the certificate a second time. However, if you launched an app, closed it, and launched it six minutes later, your Mac would have to ask Apple’s servers again.

For whatever reason—perhaps due to changes in macOS Big Sur—Apple’s server was swamped and became very slow on November 12, 2020. Responses slowed down considerably, and apps took a long time to load as Macs patiently waited for a response from Apple’s slow server.

After that event, Apple’s OSCP server now tells Macs to remember certificate validity responses for 12 hours. Your Mac will phone home and ask about a certificate every time you launch an app—unless you’ve received a response in the last 12 hours, in which case it won’t need to. (The information about time periods here comes from independent app developer Jeff Johnson.)

What If a Mac Is Offline?

The OCSP check is designed to fail with grace. If you’re offline, your Mac will silently skip the check and launch apps normally.

The same is true if your Mac can’t reach the ocsp.apple.com server—perhaps because the server address has been blocked on your network at the router level. If your Mac can’t contact the server, it skips the check and immediately launches the app. The problem on November 12, 2020 was that while Macs could reach Apple’s server, the server itself was slow. But rather than silently failing and getting on with launching an app, Macs waited a long time for a response. If the server had been down completely, no one would have noticed.

What’s the Privacy Risk? What Does Apple Learn?

Apple's campus in Cupertino.
Droneandy/Shutterstock.com

There are several privacy concerns people have brought up here. They are spelled out in hacker and security researcher Jeffrey Paul’s blistering take on the situation.

  • Certificates Are Associated With Apps: When your Mac contacts the OCSP server, it asks about a certificate that’s likely associated with one app—or, perhaps, a handful of apps. Technically, your Mac does not tell Apple which app you’ve launched. For example, if you launch Firefox, Apple just learns that you’ve launched an app created by Mozilla. It could be Firefox or Thunderbird, but Apple doesn’t know which. However, if you launch an app signed by the Tor Project, Apple can get a pretty good idea that you’ve opened the Tor Browser.
  • Requests Are Associated With IP Addresses and Times: These requests can, of course, be associated with a date and time and your IP address. That’s just how the internet works. Your IP address is associated with a certain city and state. Each OCSP request tells Apple the developer that created the app you’re launching, your general location, and the date and time on which you launched the app.
  • Lack of Encryption Means Snooping Is Possible: The OCSP protocol is unencrypted. Not only does Apple get this information—anyone in the middle can also see this information. Your internet service provider, workplace network administrator, or even a spy agency monitoring internet traffic could eavesdrop on the OSCP traffic between you and Apple and learn all these details. These requests also go through a third-party content distribution network (CDN) named Akamai. This speeds them up—but adds another middleman that could technically snoop.

Info: Your Mac isn’t telling Apple which app you’re launching. Instead, your Mac is just telling Apple which developer created the app you’re launching. Of course, many developers just create one app. This technical distinction often doesn’t mean much.

(Remember: With the change to caching behavior, your Mac is no longer asking Apple every time you launch an app. It’s only doing this every 12 hours instead of every 5 minutes.)

Why Is Your Mac Doing This?

As you might expect, this is all about security. The Mac is a more open platform than the iPad and iPhone. You can download apps from anywhere, even outside of Apple’s Mac App Store.

To protect the Mac from malware—and yes, Mac malware has become more common—Apple implemented this security check. If a certificate used to sign an app is revoked, your Mac can immediately spring into action and refuse to open that app. This gives Apple the power to stop Macs from launching known-malicious apps.

Can You Block the OCSP Checks?

These OCSP checks are designed to quickly and silently fail when a Mac is either offline or can’t contact the ocsp.apple.com server. That makes them simple to block: Just prevent your Mac from connecting to ocsp.apple.com. For example, you can often block this address on your router, preventing all devices on your network from connecting to it.

Unfortunately, it seems like Big Sur no longer lets software-level firewalls on the Mac block the Mac’s built-in trustd process from accessing remote servers like this.

Warning: If you block the ocsp.apple.com server, your Mac won’t notice when Apple has revoked an app’s developer certificate. You’re choosing to disable a security feature and this could put your Mac at risk.

A man using a MacBook with the "pinwheel of death" on the screen.
guteksk7/Shutterstock.com

Apple appears to have heard the criticism. On November 16, 2020, the company added information about “privacy protections” for Gatekeeper on its website. First, Apple says it has never combined data from these certificate or malware checks with any other data Apple knows about you. The company promises it doesn’t use this information to track which apps individuals are launching on their Macs.

Second, Apple insists that these certificate checks are not associated with your Apple ID or any device-specific information beyond your IP address. Apple says it has stopped logging IP addresses associated with these requests and will be removing them from Apple’s logs.

Over the next year—in other words, by the end of 2021—-Apple says it will make these changes:

  • Replace OCSP With an Encrypted Protocol: Apple says it will create a new encrypted protocol to replace the unencrypted OCSP system for checking developer certificates. This will prevent anyone in the middle from snooping.
  • Stop the Slowdowns: Apple also promises “strong protections against server failure”—in other words, apps won’t be slow to load because a server slowed down again.
  • Provide Choice to Users: Apple says Mac users will be able to turn these security protections off and prevent their Mac from checking for revoked developer certificates.

Overall, these changes will eliminate various problems—third parties can no longer snoop in the middle. Macs will still send Apple information it can use to track which apps you open, but Apple promises not to associate that information with you. Slowdowns should be eliminated as Apple fixes the performance problem, too.

What will this better protocol be? Well, Apple hasn’t yet said what it will replace OCSP with. As security researcher Scott Helme notes, something like CRLite could help thread the needle here. Imagine if your Mac could download a single file from Apple and regularly update it. The file would contain a compressed list of all certificate revocations. Whenever you launch an app, your Mac could check the file, eliminating the network checks and privacy problems.

Your Mac Does Sometimes Send App Hashes to Apple

By the way, your Mac does sometimes send hashes of the apps you open to Apple’s servers. This is different from the OCSP signature checks. Instead, it has to do with Gatekeeper notarization.

Developers can upload apps to Apple, which checks them for malware and then “notarizes” them if they seem safe. This notarization ticket information can be “stapled” to the app. If a developer doesn’t staple the ticket information to the app file, your Mac will check with Apple’s servers the first time you launch that app. This only happens the first time you launch a given version of an app—not every time it opens. And the online check can be eliminated by the developer through stapling.

Macs aren’t unique here. For example, Windows 10 PCs often upload data about apps you download to Microsoft’s SmartScreen service to check for malware. Antivirus programs and other security applications may upload information about suspicious-looking apps to the security company, too.

[mai mult...]

How to Clear Safari Browsing Data with a Keyboard Shortcut

If you use Safari on Mac and would like to quickly clear your browser history without digging through menus, you can take care of it with a keyboard shortcut and a click by creating a custom shortcut in System Preferences. Here’s how.

First, we’ll need to visit “System Preferences” to create the custom keyboard shortcut. On your Mac, click the “Apple” icon in the upper-left corner and select “System Preferences.”

Click the Apple icon, and then select "System Preferences."

In “System Preferences,” select “Keyboard.” In “Keyboard” preferences, click the “Shortcuts” tab.

Click "Shortcuts" in the "Keyboard" menu.

In the sidebar menu, click “App Shortcuts.”

Click "App Shortcuts."

Click the plus sign (+) located near the bottom of the window to add a new shortcut.

Click the plus sign (+) to add a keyboard shortcut.

A pop-up window will appear. First, click the drop-down menu labeled “Application” and select “Safari.app.”

In the Application drop-down menu, select "Safari."

In the “Menu Title” text box, enter “Clear History...” exactly. It must include the three dots at the end, as it must match the existing menu command in Safari under the “History” menu. Next, select the “Keyboard Shortcut” box and type the shortcut you want to use to clear Safari’s browser history. We chose Shift+Command+H, but you can enter any unused keyboard combination.

In the Menu Title box, enter "Clear History..." then define a keyboard shortcut combination.

Then click the “Add” button, and the shortcut will be added to the list. You’re now clear to close System Preferences (unless you want to tweak the keyboard shortcut key combination after testing it out.)

Open “Safari” and press the keyboard shortcut you just defined. A small pop-over window will appear with a drop-down menu and two buttons. In the “Clear” menu, you can choose how much of your history is cleared. When you’re ready, click the “Clear History” button.

Click "Clear History."

Your Safari browsing history will be cleared to whatever level you selected. Safari will remember the setting you chose in the “Clear” menu, so next time you call up the window with your custom shortcut, you can just click the “Clear History” button.

If you find yourself frequently clearing your browser history, consider trying Safari’s Private Browsing mode, which is a special mode that doesn’t keep track of your browsing history. You can even configure Safari to start with a Private window every time you open the app.

[mai mult...]

How to Password Protect Photos on iPhone and iPad

Sometimes, you need to protect your iPhone or iPad photos from prying eyes that might also have access to your device. Unfortunately, Apple doesn’t provide an obvious, secure way to do this. However, there’s a work-around thanks to the Notes app.

You probably already know about the “Hidden Photos” folder in the Photos app on iPhone and iPad. In iOS 14 and iPadOS 14, you can hide that folder, as well. However, images hidden in the Photos app aren’t password-protected. There are other ways you can hide private photos on your Apple device, but they often involve third-party apps.

We’ll show you how to use the Notes app (which is on every iPhone and iPad) and a feature first introduced in iOS 9.3 to secure certain photos on your device. First, you’ll have to insert your photos into a note, and then, you can lock them behind a password, .

How to Password Protect Photos Using Notes

If the photos you’d like to lock behind a password aren’t already on your iPhone or iPad, move them there. Next, open the Notes app and tap the New Note icon (the pencil and paper) to create a new note.

Tap the New Note icon in Notes.

On the first line of the new note, type some text that won’t attract too much attention. This will appear in the list of notes, even after you lock it.

A note called "Gravel Statistics."

Tap the Add Photo icon (the camera) in the toolbar. On an iPad, you’ll find this at the top. On an iPhone, it’ll either be above the on-screen keyboard or at the bottom of the screen.

In the menu that appears, tap “Choose Photo or Video.”

Tap "Choose Photo or Video."

On the following screen, tap the thumbnail of each photo you want to add (a checkmark will indicate they’re selected). When you’re done, tap “Add.”

Tap the photos you want to add, and then tap "Add."

Notes will insert the photos you selected into the note file. To lock the note, tap the Ellipsis icon (the three dots in a circle).

Tap the Ellipsis icon.

In the window that appears, tap “Lock.”

Tap "Lock."

If you’ve previously set a Notes password, you’ll be asked to type it; after you do so, tap “OK.”

Haven’t set a password? No problem! Notes will ask you to create one. Just remember, you’ll have to use this password to view all locked notes. If you’ve enabled the Notes app to sync to iCloud, this same password will also apply to other Apple devices signed into iCloud.

Type a password and a hint. If your device supports it, you’ll also have the option to lock Notes using Touch or Face ID. After you’ve typed your info and made your selections, tap “Done.”

Type a Notes password, verify it, and then tap "Done."

Notes will confirm the lock has been added, but don’t walk away yet! This only enables the lock setting—you’ll still have to lock the note itself to make it secure.

To do so, open the note, and then tap the Padlock icon in the toolbar.

Tap the Padlock icon.

You’ll then see a confirmation that says “This note is locked.” If you want to double-check, just tap “View Note.”

Tap "View Note."

When Notes asks for your password, type it, and then tap “OK.”

Type your password, and then tap "OK."

You’ll then see all the photos you added to the secure note.

Make sure you also visit the Photos app and delete the images you just password-protected. After that, you’ll need to visit the “Recently Deleted” folder in Photos and delete them there, as well.

How Secure Are Locked iPhone or iPad Notes?

Locked notes on an iPhone or iPad are encrypted to the extent that it would be difficult to extract them, even with forensic tools. It’s not ironclad state-security-level encryption, though. One research firm recently discovered some weaknesses in the Notes app. These could allow a determined attacker with unrestricted access to your device to guess the partial contents of a locked note.

These circumstances are rare, but there might also be other undiscovered bugs in Notes that could potentially compromise a note’s security.

For casual privacy purposes, however, locked notes are secure enough for most people to prevent opportunistic snooping. Just make sure you don’t create a password that’s easy to guess!

[mai mult...]

Why iPhone Apps Ask for “Devices on Your Local Network”

The local network permission prompt on an iPhone with iOS 14

iPhone and iPad apps must ask for permission “to find and connect to devices on your local network.” This request was iOS 14 and iPadOS 14 updates, Here’s what this message means and how you should answer it.

Whenever an iPhone or iPad app wants to scan your local network for devices and connect to them, it has to ask for permission first.

You’ll see a dialog saying an app “would like to find and connect to devices on your local network” while using many apps. You only have two options: “Don’t Allow” or “OK.” If you grant access, an app can scan the networks you connect to for devices. For example, an app that needs to connect to a smart speaker or a Chromecast will need this access to find such devices on your network and connect to them. if you don’t allow local network scanning access, it won’t find the local device.

However, some apps seem to request this access for unclear purposes. For example, the Facebook app asks for this permission—perhaps so you can cast videos to another device? We’ve also seen this prompt appear in banking applications, and we’re not sure why. Apps could theoretically use this feature to gather data on your network—for example, they could detect the smart devices on your network and use that information to fine-tune an advertising profile about you.

Prior to Apple introducing this prompt, iPhone or iPad apps could do this in the background without your permission. The scanning isn’t new—the only thing new here is the prompt.

Should You Allow or Deny the Request?

Spotify asking to scan the local network on an iPhone

If you plan on using a feature that requires finding and connecting to a device on your local network in that app, you should allow the request. Here are some examples of requests you should allow:

  • Music apps, if you plan on connecting to a smart speaker.
  • Video apps, if you plan on streaming to a Chromecast or other device.
  • Smarthome apps that find and connect to devices on your network.

If you don’t plan on using a feature that requires this—for example, if you’re just listening to music on your headphones in Spotify and you don’t plan on connecting to a smart speaker—you can deny this request without a problem.

Even if you do change your mind, you can quickly toggle an app’s access to your local network on or off in the Settings app. If you have no clue why an app wants this feature—for example, if an online banking app wants to scan for local devices—we recommend you deny the request. That will help protect your privacy, ensuring apps can’t collect as much data about your network and the devices you own.

How to Control Local Network Access Later

If you change your mind later and want to give an app local network access—or revoke the app’s ability to access devices on your local network—you can change this later.

To do so, head to Settings > Privacy > Local Network on your iPhone. Any app that has requested permission to access your local network will appear here. Apps with a green switch have access to your local network, while apps with a grayed out switch do not. Tap the switch to allow or deny local network access for an app.

The Settings > Privacy > Local Network screen on an iPhone

[mai mult...]

How to Use Port Knocking on Linux (and Why You Shouldn’t)

Hand knocking on a closed door.
Port knocking is a way to secure a server by closing firewall ports—even those you know will be used. Those ports are opened on demand if—and only if—the connection request provides the secret knock.

In the 1920s, when prohibition was in full swing, if you wanted to get into a speakeasy, you had to know the secret knock and tap it out correctly to get inside.

Port knocking is a modern equivalent. If you want people to have access to services on your computer but don’t want to open your firewall to the internet, you can use port knocking. It allows you to close the ports on your firewall that allow incoming connections and have them open automatically when a prearranged pattern of connection attempts is made. The sequence of connection attempts acts as the secret knock. Another secret knock closes the port.

Port knocking is something of a novelty, but it’s important to know it’s an example of security through obscurity, and that concept is fundamentally flawed. The secret of how to access a system is safe because only those in a specific group know it. But once that secret is out—either because it’s revealed, observed, guessed, or worked out—your security is void. You’re better off securing your server in other, stronger ways, like requiring key-based logins for an SSH server.

The most robust approaches to cybersecurity are multilayered, so, perhaps port knocking should be one of those layers. The more layers, the better, right? However, you could argue that port knocking doesn’t add much (if anything) to a properly hardened, secure system.

Cybersecurity is a vast and complicated topic, but you shouldn’t use port knocking as your only form of defense.

Installing knockd

To demonstrate port knocking, we’re going to use it to control port 22, which is the SSH port. We’ll use a tool called knockd. Use apt-get to install this package onto your system if you use Ubuntu or another Debian-based distribution. On other Linux distributions, use your Linux distribution’s package management tool, instead.

Type the following:

sudo apt-get install knockd

"sudo apt-get install knockd" command in a terminal window.

You probably already have the iptables firewall installed on your system, but you might need to install the iptables-persistent package. It handles the automatic loading of saved iptable rules.

Type the following to install it:

sudo apt-get install iptables-persistent

"sudo apt-get install iptables-persistent" command in a terminal window.

When the IPV4 configuration screen appears, press the space bar to accept the “Yes” option.

Press the space bar to accept the "Yes" option in the iptables-persistent IPV4 screen.

Press the space bar again in IPv6 configuration screen to accept the “Yes” option and move on.

Press the space bar to accept the "Yes" option in the IPv6 configuration screen.

The following command tells iptables to allow established and ongoing connections to continue. We’ll now issue another command to close the SSH port.

If someone is connected by SSH when we issue this command, we don’t want them to be cut off:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

"sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" command in a terminal window.

This command adds a rule to the firewall, that says:

  • -A: Append the rule to the firewall rules table. That is, add it to the bottom.
  • INPUT: This is a rule about incoming connections.
  • -m conntrack: Firewall rules act upon network traffic (packets) that match criteria in the rule. The -m parameter causes iptables to use extra packet matching modules—in this case, the one called conntrack works with the network connection tracking capabilities of the kernel.
  • –cstate ESTABLISHED,RELATED: This specifies the type of connection to which the rule will apply, namely ESTABLISHED and RELATED connections. An established connection is one that’s already in progress. A related connection is one that’s made due to an action from an established connection. Perhaps someone who is connected wants to download a file; that might happen over a new connection initiated by the host.
  • -j ACCEPT: If the traffic matches the rule, jump to the ACCEPT target in the firewall. In other words, the traffic is accepted and allowed to pass through the firewall.

Now we can issue the command to close the port:

sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

"sudo iptables -A INPUT -p tcp --dport 22 -j REJECT in a terminal window" command in a terminal window.

This command adds a rule to the firewall, that says:

  • -A: Append the rule to the firewall rules table, i.e., add it to the bottom.
  • INPUT: This rule is about incoming connections.
  • -p tcp: This rule applies to traffic that uses the Transmission Control Protocol.
  • –dport 22: This rule specifically applies to TCP traffic that targets port 22 (the SSH port).
  • -j REJECT: If the traffic matches the rule, jump to the REJECT target in the firewall. So, if the traffic is rejected, it’s not permitted through the firewall.

We must start the netfilter-persistent daemon. We can do so with this command:

sudo systemctl start netfilter-persistent

"sudo systemctl start netfilter-persistent" in a terminal window.

We want netfilter-persistent to go through a save and reload cycle, so it loads and controls the iptable rules.

Type the following commands:

sudo netfilter-persistent save

"sudo netfilter-persistent save" in a terminal window.

sudo netfilter-persistent reload

"sudo netfilter-persistent reload" in a terminal window.

You’ve now installed the utilities, and the SSH port is closed (hopefully, without terminating anyone’s connection). Now, it’s time to configure the secret knock.

Configuring knockd

There are two files you edit to configure knockd. The first is the following knockd configuration file:

sudo gedit /etc/knockd.conf

"sudo gedit /etc/knockd.conf" in a terminal window.

The gedit editor opens with the knockd configuration file loaded.

The knockd config file in the gedit editor.

We’ll edit this file to suit our needs. The sections we’re interested in are “openSSH” and “closeSSH.” The following four entries are in each section:

  • sequence: The sequence of ports someone must access to open or close port 22. The default ports are 7000, 8000, and 9000 to open it, and 9000, 8000, and 7000 to close it. You can change these or add more ports to the list. For our purposes, we’ll stick with the defaults.
  • seq_timeout: The time period within which someone has to access the ports to trigger it to open or close.
  • command: The command sent to the iptables firewall when the open or close action is triggered. These commands either add a rule to the firewall (to open the port) or take it out (to close the port).
  • tcpflags: The type of packet each port must receive in the secret sequence. A SYN (synchronize) packet is the first in a TCP connection request, called a three-way handshake.

The “openSSH” section can be read as “a TCP connection request must be made to ports 7000, 8000, and 9000—in that order and within 5 seconds—for the command to open port 22 to be sent to the firewall.”

The “closeSSH” section can be read as “a TCP connection request must be made to ports 9000, 8000, and 7000—in that order and within 5 seconds—for the command to close port 22 to be sent to the firewall.”

The Firewall Rules

The “command” entries in the openSSH and closeSSH sections remain the same, except for one parameter. This is how they’re comprised:

  • -A: Append the rule to the bottom of the firewall rules list (for the openSSH command).
  • -D: Delete the command from the firewall rules list (for the closeSSH command).
  • INPUT: This rule is concerned with incoming network traffic.
  • -s %IP%: The IP address of the device requesting a connection.
  • -p: Network protocol; in this case, it’s TCP.
  • –dport: The destination port; in our example, it’s port 22.
  • -j ACCEPT: Jump to the accept target within the firewall. In other words, let the packet drop through the rest of the rules without acting on it.

The knockd Configuration File Edits

The edits we’ll make to the file are highlighted in red below:

The knockd config file in the gedit editor with the edits highlighted.

We extend the “seq_timeout” to 15 seconds. This is generous, but if someone’s manually firing in connection requests, he might need this much time.

In the “openSSH” section, we change the -A (append) option in the command to -I (insert). This command inserts a new firewall rule at the top of the firewall rule list. If you leave the -A option, it appends the firewall rule list and puts it at the bottom.

Incoming traffic is tested against each firewall rule in the list from the top down. We already have a rule that closes port 22. So, if incoming traffic is tested against that rule before it sees the rule that allows the traffic, the connection is refused; if it sees this new rule first, the connection is allowed.

The close command removes the rule added by openSSH from the firewall rules. SSH traffic is once more handled by the pre-existing “port 22 is closed” rule.

After you make these edits, save the configuration file.

The knockd Control File Edits

The knockd control file is altogether simpler. Before we dive in and edit that, though, we need to know the internal name for our network connection; to find it, type this command:

ip addr

The "ip addr" command in a terminal window.

The connection this machine uses to research this article is called enp0s3. Make a note of the name of your connection.

The following command edits the knockd control file:

sudo gedit /etc/default/knockd

"sudo gedit /etc/default/knockd" command in a terminal window.

Here’s the knockd file in gedit.

The knockd control file in gedit.

The few edits we need to make are highlighted in red:

The knockd control file in gedit with the edits highlighted.

We changed the “START_KNOCKD=” entry to from 0 to 1.

We also removed the hash # from the start of the “KNOCKD_OPTS=” entry, and replaced “eth1” with the name of our network connection, enp0s3. Of course, if your network connection is eth1, you won’t change it.

The Proof Is in the Pudding

It’s time to see if this works. We’ll start the knockd daemon with this command:

sudo systemctrl start knockd

"sudo systemctrl start knockd" command in a terminal window.

Now, we’ll jump on another machine and try to connect. We installed the knockd tool on that computer, too, not because we want to set up port knocking, but because the knockd package provides another tool called knock. We’ll use this machine to fire in our secret sequence and do the knocking for us.

Use the following command to send your secret sequence of connection requests to the ports on the port knocking host computer with the IP address 192.168.4.24:

knock 192.168.4.24 7000 8000 9000 -d 500

This tells knock to target the computer at IP address 192.168.4.24 and fire a connection request to ports 7000, 8000, and 9000, in turn, with a -d (delay) of 500 milliseconds between them.

A user called “dave” then makes an SSH request to 192.168.4.24:

ssh dave@192.168.4.24

His connection is accepted, he enters his password, and his remote session begins. His command prompt changes from dave@nostromo to dave@howtogeek. To log out of the remote computer, he types:

exit

His command prompt returns to his local computer. He uses knock once more, and this time, it targets the ports in reverse order to close the SSH port on the remote computer.

knock 192.168.4.24 9000 8000 7000 -d 500

Port knocking and ssh connection session in a terminal window.

Admittedly, this wasn’t a particularly fruitful remote session, but it demonstrates the opening and closing of the port via port knocking and fits in a single screenshot.

So, what did this look like from the other side? The system administrator on the port knocking host uses the following command to view new entries that arrive in the system log:

tail -f /var/log/syslog

A syslog showing the port knocking events in a terminal window.

  • You see three openSSH entries. These are raised as each port is targeted by the remote knock utility.
  • When all three stages of the trigger sequence are met, an entry that says “OPEN SESAME,” is logged
  • The command to insert the rule into the iptables rules list is sent. It permits access via SSH on port 22 from the specific IP address of the PC that gave the correct secret knock (192.168.4.23).
  • The user “dave” connects for a few seconds only, and then disconnects.
  • You see three closeSSH entries. These are raised as each port is targeted by the remote knock utility—it tells the port knocking host to close port 22.
  • After all three stages are triggered, we get the “OPEN SESAME” message again. The command is sent to the firewall to remove the rule. (Why not “CLOSE SESAME” when it’s closing the port? Who knows?)

Now the only rule in the iptables rules list regarding port 22 is the one we typed at the beginning to close that port. So, port 22 is now closed again.

[mai mult...]