Author Archives: Kenji Yoshino

About Kenji Yoshino

Twitter: @tidgubi

Restricting File Sharing Apps

File sharing services like Dropbox and SpiderOak are great for easily syncing files between computers. SpiderOak even offers Zero-Knowledge Privacy, where they cannot decrypt your files.

Unfortunately, the default settings increase your computer’s attack surface. Both Dropbox, SpiderOak, and I assume most cloud storage providers include a "LAN Sync" feature. This speeds synchronization of files between computers on a LAN by allowing the computers to send files directly to each other without relying on the internet connection. To do this, the synchronization applications must accept outside connections. If you go to a coffee shop or hotel networks, a malicious user could send packets to these applications. While I’m sure the developers made an effort to write good applications, I’m sure these have not been tested for vulnerabilities as extensively as OpenSSL and Windows SMB. At least in client mode, the application should only be connecting to the trusted server (unless there’s an active man-in-the middle attack). Disclaimer: I am not aware of vulnerabilities in these programs. This is just about mitigating a potential risk.

It’s easy to stop these programs from accepting connections. In Dropbox for Mac, click the Dropbox icon, click the gear, click ‘Preferences…’, click the Network tab, and uncheck ‘Enable LAN Sync’. In SpiderOak for Mac, click the SpiderOak icon, go to Application, click Preferences, click Network, and uncheck ‘Allow LAN-Sync’.

Redeem an iTunes eGift in the Mac App Store

If you receive an iTunes gift via email, but don’t want to open iTunes, do the following to redeem the gift in a different program (e.g. App Store or iBooks):

  1. Open the email with the iTunes gift
  2. Right Click on the "Redeem Now" button and copy the link. The menu option is usually called something like "Copy Link" or "Copy Link Address…"
  3. In a text editor paste the link. The link should look something like https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/com.apple.jingle.app.finance.DirectAction/freeProductCodeWizard?code=XABCD1234ABCD12X&mt=1M
  4. The gift card code (same as scratching off a physical gift card) is the text between "code=" and "&mt". In this example it is XABCD1234ABCD12X (not a real gift card code)
  5. Paste or type this code into the Redeem page of any of Apples app stores

Forcing an iTunes Charge

Recently, I received an offer from American Express, where I would receive a statement credit if I used my card on iTunes. Unfortunately, I already had a gift balance on my Apple ID and didn’t expect I’d spend it before the promotion expired.

I used the following steps to charge my card immediately and just add to my account balance:

  1. In iTunes, go to the Store menu -> View account (appleID@email.com)…
  2. Edit your payment details to the credit card with the promotion.
  3. Click the home (icon) button near.
  4. Under Quick Links on the right hand side of the window, select Send iTunes Gifts.
  5. Enter your own email address, select an amount that qualifies for the promotion, and click Next.
  6. Pick a design and click Next.
  7. Click Buy Gift to charge your credit card.
  8. Look at your email for an iTunes Gift card you can add to your account balance.
  9. Switch your credit card back to your original card.

Note: I’m not sure why it isn’t possible to buy/send gifts from the Mac App Store. As far as I know, you have to use iTunes.

Replacing Skype with Google Voice

I’ve been looking to move from Skype to Google Voice. To save cell phone minutes (yes I’m still on a family share plan), I try to use VoIP to make calls when I have access to reliable internet. Unfortunately I the Google Voice app for iOS doesn’t support VoIP, even though it has a dialpad. This is only a callback service that uses your normal cell phone minutes. This app looks like it is on it’s way out, as it hasn’t been updated since September 2013 and hasn’t been updated with an iOS 7 look and feel.

Fortunately, the Google Hangouts app has most of the features you’d expect from a calling/video chat app. It allows you to make VoIP calls to US phone numbers for free and lets you video chat with your other Google contacts. The downside is that you still need the Google Voice app to manage a few voice settings, view missed calls, and listen to voicemails.

Configuring Chrome’s SSL/TLS

As of version 34.0.1847.116, Google Chrome defaults to the following ciphersuites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5

Overall I think the list is pretty good. I’d rather not use the ciphersuites in red, because of the MD5 message authentication and the DSS site authentication. I also think it is very unlikely these will prevent you from accessing any common sites. The more security conscious users will probably want to disable the orange cipher suites as well, because RC4 and TDES are both weaker than AES. As you make changes, the SSL Labs Client Test is an easy way to see which ciphersuites are enabled. It also gives you the hex code for each ciphersuite, which is used to disable them.

Unfortunately Google Chrome doesn’t have a nice interface for configuring ciphersuites like Firefox and Opera, so you need to use command line switches to selectively disable ciphersuites. I have instructions for using command line switches on Windows and MacOS.

To disable the red ciphersuites, add the following switch: 

--cipher-suite-blacklist=0x0004,0x0032

To disable the red and orange ciphersuites, add the following switch: 

--cipher-suite-blacklist=0x0004,0x0032,0x0005,0x000a,0xc011,0xc007

If you’re concerned about the NSA, the following disables all ciphersuites without perfect forward secrecy: 

--cipher-suite-blacklist="0x0004,0x0005,0x000a,0x0035,0x002f,0x009c,0x0032

I also recommend disabling SSLv3.0 with the following switch:

--ssl-version-min=tls1