Thursday, August 19, 2021

LastPass can die in a hole

 "LastPass can die in a hole" - Me


I have been a LastPass Premium user for about 5 years now.  At first it was a relatively cheap and simple choice.  I wanted to give back after having been a Free user for a few years.  

I also signed up a few organisations to LastPass Enterprise, where we had key staff running LastPass Enterprise licenses and it was fine.

Then the price hikes came.  No new functionality, just higher costs.  Typical.

The resistance to change was high (for me personally) since I had everything working just the way I wanted it.  So I kept paying, each year, more and more than the previous years - with no improvement whatsoever in the product.

A couple months ago, they forced the Free users (of which my Wife was one) to choose between using LastPass Free on their Computer or their Phone.  Since my wife used LastPass on both platforms regularly, this obviously was a problem (by design).

So, I moved her to BitWarden. 

I created an account for her, exported her LastPass out to a CSV file, imported it in to BitWarden.  It took a couple of minutes.  We then installed BitWarden in to her Browser profile, and on to her Phone.

It worked FLAWLESSLY.  

She hasn't touched LastPass since, and has NEVER complained.  She's happier with BitWarden.

I was still a Premium user of LastPass so I hadn't changed yet.  I had planned to do it next time I had to renew, but hadn't yet.

Then last night, I logged in to LastPass on my computer and it was telling me I needed to CHOOSE between Computer or Phone.  Like I was some LastPass Free user.  I checked to see what was going on, and my last payment was 7 months ago.  I was well and truly within my Premium subscription.

That's it, I'm done.  Assholes.

I had played a bit with BitWarden in the past, ran the two in parallel over a year ago just to evaluate the product.  I was happy, but then one day I was in a hurry and added a couple things to LastPass (which was still my primary password manager) and the two vaults diverged from each other.  

So I stopped using BitWarden, used LastPass only from then on.  

Since they've cancelled my Premium subscription 5 months early, I decided today was the day I make the move.

I purged my BitWarden Vault, re-imported everything from LastPass in to BitWarden, then disabled the LastPass browser plug-in.

It took about 2 minutes.

I have been recommending BitWarden to people for the last 18 months or so, and now I've finally cut them off too.  

I wonder if they'll refund my last 5 months since they screwed me.  I'm going to try.

Oh, I just paid for BitWarden Premium too.  I am more than happy to pay for a great product that isn't screwing over people out of pure greed.

LastPass can die in a hole.

Friday, January 24, 2020

Debian / OpenVPN Site-to-Site VPN Solution that works behind NAT

This post details how to set up an OpenVPN Site-to-Site VPN link which will route traffic between two sites, where only one site has one UDP port forwarded through it's NAT router.  The second (restrictive) site, can be behind multiple NAT routers, does not require any port forwarding, and can also be on a dynamic public IP address.

I make no guarantees about privacy, or security, or reliability.  However, I can tell you that this solution has been, and is currently deployed in several locations and has rarely let me down. 
YMMV.

The two sites will be called Site A and Site B.
Each site requires a linux machine (I will be using Debian, but any linux distro with OpenVPN will work) with a single private IP address assigned to it. 

Site A
- can be called the Head Office, or main Hub
- will require a static public IP address
- will require a single UDP port forward rule added in to the site's internet router
- Local subnet is 192.168.6.0/24

Site B
- can be called the Branch Office, or remote office
- can be on a dynamic public IP
- will require outbound UDP traffic to be permitted
- does not require any port forwarding rules to function
- Local subnet is 192.168.10.0/24

We will also require a dedicated site-to-site subnet that will be used only by OpenVPN.  We will use 10.99.x.1 and 10.99.x.2 where x is the ID of the tunnel (starting from 0).  This will make more sense when you see the config below.

We will start configuring Site A's Debian VM (logged in as Root already):

#Configure network interfaces as required (set your VM's IP to something static, or assign a static reservation in your DHCP server)  E.g. 192.168.6.200
nano /etc/network/interfaces

#Install OpenVPN and OpenSSH-Server
apt-get install openvpn openssh-server

#one time commands to enable tun
modprobe tun
echo 'tun' >> /etc/modules

#one time command to enable tunnels through firewall
iptables -A FORWARD -i tun+ -j ACCEPT

#generate tun0.key
Cd /etc/openvpn
Openvpn --genkey --secret tun0.key

#NOTE: tun0.key must be present on each site.  You can copy from the SiteA VM to the SiteB VM using WinSCP.  The files MUST be the same on each end per tunnel.  

#create a startup script which brings up the OpenVPN Server
nano /etc/init.d/S99startvpn

Copy the contents below in to your S99startvpn file:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          startvpn
# Required-Start:
# Required-Stop:
# Default-Start:      2
# Default-Stop:
# Short-Description: Host OpenVPN Servers
# Description:
### END INIT INFO
#Tun 0 - Site B will connect in to us here on UDP PORT 5000
openvpn --port 5000 --dev tun0 --ifconfig 10.99.0.1 10.99.0.2 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 &
sleep 3
#set up a route to the remote LAN subnet for this tunnel
ip route add 192.168.10.0/24 via 10.99.0.1
#enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Now Save and close the script

#When you have the script in place, make it executable and owned by root:
chmod +x /etc/init.d/S99startvpn
chown root:root /etc/init.d/S99startvpn

#Set it to start automatically on boot with:
update-rc.d S99startvpn defaults
update-rc.d S99startvpn enable

Your Site A VM is now set up and can be rebooted.  You shouldn't have to touch it again.
When it reboots, it will automatically start up an instance of OpenVPN that is listening for incoming connections on UDP port 5000.  It's also got an ip of 10.99.0.1 on it's side of the tunnel.

Let's configure Site B's Debian VM (logged in as Root already):

#Configure network interfaces as required (set your VM's IP to something static, or assign a static reservation in your DHCP server) E.g. 192.168.10.200
nano /etc/network/interfaces

#Install OpenVPN and OpenSSH-Server
apt-get install openvpn openssh-server

#one time commands to enable tun
modprobe tun
echo 'tun' >> /etc/modules

#one time command to enable tunnels through firewall
iptables -A FORWARD -i tun+ -j ACCEPT

#NOTE: tun0.key must be present on each site.  You can copy from the SiteA VM to the SiteB VM using WinSCP.    The files MUST be the same on each end per tunnel.  

#create a startup script which brings up the OpenVPN client
nano /etc/init.d/S99startvpn

#copy the contents below in to your S99startvpn file:
#! /bin/sh
### BEGIN INIT INFO
# Provides:          startvpn
# Required-Start:
# Required-Stop:
# Default-Start:      2
# Default-Stop:
# Short-Description: Connect to VPN Server
# Description:
### END INIT INFO
#Tun0 - Connect to SITE A
openvpn --remote [INSERT_PUBLIC_IP_FOR_REMOTE_SITE_HERE] --port 5000 --dev tun0 --ifconfig 10.99.0.2 10.99.0.1 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 &
sleep 30
#set up a route to the remote LAN subnet for this tunnel
ip route add 192.168.6.0/24 via 10.99.0.2
#set up a ping to keep NAT alive, one ping sent once every 60 seconds, otherwise NAT translations get deleted and the tunnel won't pass traffic when needed
ping 192.168.6.200 -i 60 &
#enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Save and close the script

#When you have the script in place, make it executable and owned by root:
chmod +x /etc/init.d/S99startvpn
chown root:root /etc/init.d/S99startvpn

#Set it to start automatically on boot with:
update-rc.d S99startvpn defaults
update-rc.d S99startvpn enable

Your Site B VM is now set up and can be rebooted.  You shouldn't have to touch it again.
When it reboots, it will automatically start up an instance of OpenVPN that will connect to the Site A OpenVPN Server on UDP Port 5000.  It's also got an ip of 10.99.0.2 on it's side of the tunnel.

For both VMs, you could run the commands from the S99startvpn script by hand to make sure everything works before you automate it via the startup script.

Finally, joining the sites together so that the traffic routes at layer 3:

There are several ways you can do this.  I prefer setting up a static route on each site's primary default gateway for the remote subnet, with the next hop being the IP of the hub at each site.  Not all routers let you do this. 

This means that when traffic bound for the remote subnet hits your default gateway, the gateway will see the static route and forward the packet on to your site's new hub and it will then be forwarded over the open vpn link to the remote site.
This must be done on both sites for the traffic to traverse the link in both directions.

However, if you do not control the router at your restrictive site for example, and therefore cannot add a static route to that router, you must use static routes on each machine in each site that need to communicate instead.

Here's an example for doing it on Windows on a host in Site B:
route -p add 192.168.6.0 mask 255.255.255.0 192.168.10.200

Here's what the route command would look like on a host in Site A:
route -p add 192.168.10.0 mask 255.255.255.0 192.168.6.200

All we're doing here is telling windows to send traffic destined to the remote subnet to the new hub, instead of to the default gateway.

Please note that I came up with all of this 15 years ago when I knew almost nothing about any of this stuff.  As a result, there is a very good chance that the traffic isn't encrypted, or the keys are insecure, or the connection may not work with the latest version of Debian. 

There's also no firewall configured whatsoever (other than to allow all), and therefore there's nothing stopping anyone on either side of the link talking across it to devices on the other side.

There's no logging either, so you won't know what traffic is moving across the link. 

Also, this solution does nothing for DNS.  You will need to come up with your own solution, or use the IP addresses for communications. 

At the end of all this, you should have a functioning site to site link - if not, let me know and I'll try to help where I can. 
But, I know this works because I've been using this solution for 15 years with excellent results.

Good luck.

Thursday, February 1, 2018

Amazing summary of IT/Engineering staff and how to deal with and understand them

I'm posting this here because I don't want to lose it. https://www.computerworld.com/article/2527153/it-management/opinion--the-unspoken-truth-about-managing-geeks.html This article sums up my experiences in the IT world so well it hurts. Well worth the read.

Wednesday, December 20, 2017

My recommendations for passwords

Rules:
- Every site has a DIFFERENT password (i.e. no two sites should ever share a common password)
- Every password is complex, long and very random, e.g. password I just generated: PU#!$KnT8x^z82qG
- Every password is stored in a program called LastPass (https://www.lastpass.com/) which auto-fills the usernames and passwords for me when I visit sites.
- Every site that offers 2 Factor Authentication has it enabled, especially gmail/facebook, etc

My LastPass password vault is protected by a long password that I have never used anywhere else before and will never use again anywhere else, but it's still a password that I can remember, LastPass also has 2 Factor Auth enabled, and it signs out after a period of inactivity to protect the account from someone using my computer.

So, when signing up to a site, I generate a new RANDOM, LONG and COMPLEX password with LastPass and save the site/username/password combination in my LastPass vault.

When visiting that site, you ensure that you're signed in to LastPass and it will auto-fill the site's username password for you from your vault. LastPass is an add-in for Chrome, IE, etc, so it's very seamless. It'll even import any saved passwords from Chrome's password store for you.

The above process protects you in the event of your one password (that most people use for every site) being stolen from some random site you used 3 years ago, and then used everywhere else since. If that happens, your whole digital world can be compromised very quickly.

It's a bit of work to get up and running (i.e. you have to go to every site you use, change your password to a new gibberish one, save it away in LastPass, etc) but once you get used to it it's far easier and much more secure.

LastPass is free for basic functionality, but if you want it on your phone too (recommended) it's $24 per year - which is a bargain.

I am even rolling LastPass out at work with a 'corporate' account, which allows us to share site passwords between staff easily.

The above advice is what I give everybody these days, without doing something like the above you leave yourself very vulnerable to attack, manipulation, identity theft, etc.

I should also mention that SMS-based 2 Factor Authentication is VERY bad, and should be actively avoided/disabled wherever possible. You should instead use an Authenticator App on your phone (LastPass has one, Google has one also) which scans a QR code and generates one-time, time-based codes that roll every 30-60 seconds.

An example of why SMS is bad, this really happens a lot more often these days than people realise:
- Bad Guy gets some of your basic personal details (facebook, etc), email address and mobile phone number (where the 2FA SMS codes get sent to)
- Bad Guy calls your mobile phone provider (Telstra, optus, voda, etc) and pretends to be you, or your wife, in order to gain access to your account. Sometimes they even visit stores with fake ID and pretend to BE you.
- Bad Guy claims that your sim card is lost/broken, etc and does a SIM replacement for your number
- Your phone loses connection to the telco network, SMS and calls now go to the bad guy
- Bad Guy goes to gmail and fills out the 'forgot password' form, which sends a one time SMS code to your number, which bad guy is now in control of
- Bad Guy gains access to your gmail with a new password, and immediately removes your phone number from the recovery phone list and sets it to some other number he controls, probably changes the 2FA configuration also - you've now lost access to your email
- Bad Guy begins to pull info from your email, which has a wealth of knowledge these days and begins commandeering your other properties (twitter, facebook, internet banking, superannuation, website domain registrations and hosting, internet records, business records and relationships, extorting friends and family with fake please for monetary assistance, targeting friends and family with crypto-malware, any any number of other horrible things)
- there's scripts online that automate all this and soon your life is in somebody else's hands and you will spend weeks/months fighting to get control back.
- Bad guy signs in to your Apple/Samsung/etc accounts, and remote erases your devices (phones, tablets, computers) to make it even harder for you to get back in to everything

So, SMS == bad, because the phone companies are very keen to pump and dump calls. They make very little effort to verify the caller beyond basic personal information, which these days can be found very easily online.

Sunday, April 17, 2016

My Belkin WeMo Journey - Part 1

A few years ago, I purchased a house with solar pool heating. The system is supposed to be controlled by a little box which monitors temperatures around the place. The box has a set point in it (which is the desired water temperature) and determines whether it can pump water through some tubes on the roof to raise the water temperature to that set point. The box didn't work, and was showing wildly inaccurate readings so I decided it would just be easier if I plugged the pump in and turned it on manually on hot days.

This actually worked pretty great. In the morning, on a day we knew would be hot, we'd fire up the pump and go to work. We would come home and the pool would be a nice temperature for swimming. But, sometimes I forgot the pump was on and didn't realise until I went to bed later that night. I was wasting a lot of energy pumping water around unnecessarily.

I found the Belkin WeMo online and thought it was a great idea. I grabbed a waterproof container for outside, and placed the WeMo in the box. Now, I could turn the pump on and off whenever I wanted, all from my mobile phone. Fantastic.

I consider myself a fairly early adopter of this technology, and so I expected and understood the teething problems I originally experienced with the WeMo. It would occasionally disassociate from my Wireless Access Point and I'd need to power cycle it. Sometimes it would not connect to the AP, and I'd have to do a factory reset on it. It was a bit of a pain, but with each firmware update the reliability improved.

Today, I have 7 WeMo devices, 6 of them are the basic WeMo switch and one is a WeMo Insight. The Insight is now what I use to run the pool solar pump. It's in it's early infancy, so the stats collected aren't fantastic yet. The stats don't seem to persist across sessions and I can't get aggregated data from it yet, but I am sure these things will come with time.

The other WeMo devices I have control solenoid valves I have connected to sprinkler systems around my house. The in-built rules on the WeMo allow me to specify that after a switch has been turned on, it should automatically turn off after a set time. This means I don't accidentally water my front lawn for 3 hours. Love it!

I can water my front lawns (pop-up sprinklers), my front garden, my back garden, veggie patches, filling my pool with water, all from my phone. Plus, it also works via the internet.

There's currently a slight flaw though, which I hope one day can be resolved.
All of these WeMo switches are on my home WiFi network. This means that if a guest arrives at my house and connects to my Wireless, all they need to do is open the WeMo app on their phone and my WeMo's appear in the list. Not only this, but their app then registers with the Belkin Servers and can control them from anywhere in the world without my permission. I have since created a 'Things' wireless network, which is completely seperate from my home network for the WeMo's to live on. This prevents guests from being able to control my devices without my permission. But, most 'mum and dad' users won't know how to create separate wireless networks on their home router.

I have also created a C# WPF app which I can use to control these devices manually.
I watched a video by a pretty smart bloke on YouTube by the name of Jerry Berg (aka Barnacules).
This video of his (https://www.youtube.com/watch?v=ifzmJFdvNEE) demonstrates some code he wrote to use the WeMo Web API to control it via C# (or anything really). He very kindly released his code (in the video description), and I based several apps I have built around this foundation.
I now have a list which lists all of the WeMo devices in it. The app uses multi threading to regularly query the WeMo devices in the background and provide real-time updates on their status. Clicking on a WeMo allows you to turn that device on and off, etc.

The app also uses the uPnP searching that Jerry originally used (though it doesn't work on Windows 8 or up), and I took it one step further and integrated with the windows implementation of nmap to scan for devices that look like a WeMo on your lan automatically.

I went another step forward, and build a MVC5 web app in C# that lists all of the devices through a https website, and lets me control the devices from a web page hosted at my house. This means I can see and control the devices at home from any internet connected device with a web browser.

I did all of the above, because over the last two years the WeMo Android app has gone from being clunky, great, to poor, to great again. I did all my development when the app was performing poorly. But, the developers there have really done a good job with the current version.

I don't know who else out there has deployed the WeMo to the extent that I have, use as many of them on a daily basis or has developed applications that can control them via the web api. I'd love to talk to people who have done stuff like this.

If you're keen to play around with the code I have written, I am happy to send the latest versions through to you. I've got a couple other little purpose built wemo apps that run on Windows that do other things too (I even improved on Jerry's 'router reboot' script by re-writing it in C#).

If anybody from Belkin reads this, please have a look at my wish list below:
- I'd like to be able to sign in to the WeMo app with a Google Account
- I'd like to be able to add specific WeMo devices to my WeMo account
- I'd like to be able to login to a WeMo website and see all of my devices
- I'd like to be able to add devices that exist at multiple different locations and control them from the same interface (at the moment, I have one device at my office which I use to reboot a flakey ADSL router. I can't see it in my Android App, and so I have to use custom C# code to control it remotely)
- I'd like to be able to make a WeMo device 'managed', so that only the WeMo account that I have added it to can control it from outside of my LAN
- I'd still like to be able to query the web interface on it via a LAN address (i.e. same subnet)

So far, super happy with these WeMo's.

Wednesday, July 18, 2012

Swann SW111-EU1 - DRIVER

I have a Swann SW111-EU1 USB 10/100 Ethernet adapter, and I've been struggling to find a driver for it. The Swann website (http://www.swann.com/s/products/view/?product=443#download) says that the driver should be this: ftp://ftp.swann.com.au/drivers/network_USB/WinME2kXP.zip But that file doesn't exist on their ftp server, and the file name is so generic it's nearly impossible to find it mirrored anywhere else on the net. It turns out that the adapter itself is actually a Realtek RTL8150 chip. If you go up a directory on that FTP server to here: ftp://ftp.swann.com.au/drivers/network_USB/ You will see 8150_INST_5_126.zip in that folder. This is the driver you need for the Swann USB NIC. You can also find this driver on the realtek website: http://www.realtek.com.tw/downloads/downloadsView.aspx?Langid=1&PNid=14&PFid=8&Level=5&Conn=4&DownTypeID=3&GetDown=false&Downloads=true Hope this helps someone, as it's taken me a while to figure this all out for myself!

Saturday, May 19, 2012

How to reset your windows 7 password from the installation CD

My cousin came to me this week with an odd problem: She had "protected" her Windows 7 laptop from her sibling with a password. Except she did it months ago and can't remember what the password is now.

Windows 7 by default doesn't enable the Administrator account any more, so using a blank password on Administrator is out (this design feature is probably a good thing for the majority of cases).

After a bit of searching around the internet I found this article:
http://www.sevenforums.com/tutorials/85657-password-reset.html

It was very helpful, and worked perfectly.

The only thing I would add is that if you don't know the username of the account you want to change, at the very last command prompt before you reset the password simply type "net user" and it will list the user accounts on the machine.



For my sake:

Let's get Started!

1) The Boot Priority in the BIOS needs to be set to boot first from the optical drive; insert your Windows disk and re-start the PC. At the first screen select your language then Repair your computer then it'll do some searching, at System Recovery Options dot Use recovery tools then select the OS and click next; while there make note of the OS drive letter, it may not be C: like mine is D:.

2) At the next screen select "Command Prompt" then in the Command window type "regedit" (without the quotes) and hit enter.

3) In the Registry Editor window that opens click to select "HKey_Local_Machine" then at the "File" menu select "Load Hive".

4) In the "Look In" in the "Load Hive" window that opens navigate to (in my case) LocalDiskD:\Windows\System32\config\SYSTEM and click "Open".

5) In the "Load Hive", "Key Name" box give the new key a name e.g. " 123 " (it can be whatever you like) and click OK.

6) In the left pane of the registry Editor window click the " + " sign to expand the "HKey_Local_Machine" key then click the " + " sign to expand the "123" key then click to select the "Setup" key.

7) Now in the right pane right click "SetupType" and select "Modify", set the "Value data" to " 2 " and click OK.

8) Again in the right pane right click "CmdLine" and select "Modify" and set the "Value data" to "cmd.exe" and click OK.

9) Now just as a precaution, close the Registry Editor at the "File" menu click "Exit"; then in the Command window that's still open type "regedit" and hit enter to open the Registry Editor again.

10) In the Registry Editor click the " + " sign to expand HKey_Local_Machine and click to select the new "123" key, at the "File" menu select "Unload Hive" and click "Yes" for the "Are you sure ..." question.

11) Now close the Registry Editor at the "File" menu click "Exit" then in the Command window type "exit" and hit enter to close the Command window, then remove the Windows disk and restart the PC.

12) When the PC restarts a Command window will open, in that window type "net user " mine is (net user "Bare Foot Kid" Test6) be advised: if you have a username like mine, with spaces, you must use " " quotes around the user name; when you get the "Command Completed Successfully" type "exit" in the Command window and hit enter; at the logon screen use the new password you chose.

Enjoy!