Category Archives: Privacy/Security

Automatically Conceal Sender’s IP Address in Email Clients via SSH Tunneling

Last updated on November 22, 2018

Desktop email clients, such as Thunderbird and Claws Mail, are preferred over their web counterparts by many professionals and power users due to their additional convenience and security. However, one big downside is that they often expose the sender’s IP address to the receivers, since many SMTP servers record the sender’s IP address and put it in the header, something similar to Received: from [xxx.xxx.xxx.xxx] (my.example.com. [xxx.xxx.xxx.xxx]). This, unfortunately, puts the sender’s privacy in great jeopardy, as an IP address can reveal so much information including location, ISP, and institution names.

To address this issue, one simple solution is to let the email client connect via a proxy. While a system-widely available proxy works for many users, some of us just want our email clients, but not other programs, to go through a specific proxy. In this post, I’ll demonstrate how to use an email client automatically via SSH tunneling. The instructions are specifically tailored for GNU/Linux and MacOS users, as it involves some uses of UNIX commands and bash scripts; if you are on Windows, you can still follow the instructions with the help of Cygwin.

Continue reading

Use HTTP Clients with SOCKS Proxies (or SSH Tunnels) on GNU/Linux

On GNU/Linux, it is easy to create SOCKS proxies using programs such as ssh or tor. However, many applications on GNU/Linux, such as LibreOffice and genymotion (up to the date on which this post is written), can be configured to directly use HTTP proxies (or web proxies), but not SOCKS proxies. In this post, we will use privoxy, a non-cache web proxy, to enable these applications to use SOCKS proxies.

Continue reading

Security Checks to Do Before Installing an Android App

Last updated on August 21, 2016

Android is one of the most popular mobile operating systems. However, some Android apps can cause security issues if not carefully handled. They can be badly written which leaves a lot of security holes for intruders, or itself acts like a malware/virus. Therefore, before installing an Android app, one need to do some checks to make sure it won’t cause security issues.

Continue reading

Manage Passwords for Multiple Accounts with Checksums

Last updated on May 27, 2018

It is often hard to manage different passwords across many accounts: Complicated passwords, including handcrafted ones and those generated by a random password generator, are hard to memorize, but simple passwords are often not safe. A cloud password manager such as LastPass is not a safe option either: cloud password managers often suffer from various security issues. Besides that, it is not cool to expose your passwords to a cloud password manager company. With checksums, the management can be easily done by ourselves, while still maintaining “good” passwords.

Checksums are small-size strings which can be computed from other strings by specific checksum algorithms. Using the most popular checksum algorithms, such as MD5, SHA-1, etc. the checksums usually look very different from the original string, and changing even a single bit of the original string usually leads to very different checksums. For example, the MD5 checksums of the two similar words “bird” and “birds” are completely different (you can use this website to compute the checksum of a string, or use the md5sum or sha1sum command line utility if you are on GNU/Linux or Max OS X):

string MD5 checksum
bird 87d28160e9215b17645c734ba7170ba1
birds ea5f5a5293a7d404e091c04939ba2ad8

Here the basic strategy to manage passwords is to have the password for each account to follow the “prefix+checksum” scheme. The prefix is the same across all accounts and is similar to the usual passwords, e.g., it can be one of your current passwords — this is what you need to memorize. The checksum part is unique for each account: it can be part of the MD5/SHA-1/SHA-2 checksum of something related to the host, such as the domain of the website, or the name of the company which hosts the account, etc. In this way, only one global prefix is needed to memorize which brings easy management, and the checksum part of each account is unique which brings security. For example, as shown in the figure below, for your account at quitter.se, you can use the MD5 checksum of the string “quitter.se”, which is 00b34f415b15dbea2e9d0611d2cc90f8. Then, with a prefix such as my-password, follow the “prefix+checksum” scheme, the password for quitter.se would be my-password00b34f415b15dbea2e9d0611d2cc90f8. If only part of the checksum is used, e.g., the first 10 characters of the checksum, then the password is my-password00b34f415b.

The “prefix+checksum” scheme.