Uwe Hermann | A slightly paranoid Debian developer

jhead is a very nice and very powerful command line utility to mess with JPEG headers (esp. EXIF fields).

  $ apt-get install jhead

It can display/extract a great amount of metadata fields from JPEG files and also extract the thumbnails stored in JPEG files (if any). The following will list all known metadata fields from a sample photo:

  $ wget http://farm4.static.flickr.com/3173/3061542361_60acb0904b_o.jpg
  $ jhead *.jpg
  File name    : 3061542361_60acb0904b_o.jpg
  File size    : 1074172 bytes
  File date    : 2008:11:26 23:38:04
  Camera make  : Panasonic
  Camera model : DMC-FZ18
  Date/Time    : 2008:03:05 15:45:52
  Resolution   : 3264 x 2448
  Flash used   : No
  Focal length : 4.6mm  (35mm equivalent: 28mm)
  Exposure time: 0.0100 s  (1/100)
  Aperture     : f/3.6
  ISO equiv.   : 100
  Whitebalance : Auto
  Metering Mode: matrix
  Exposure     : program (auto)
  GPS Latitude : N %:.7fd %;.8fm %;.8fs
  GPS Longitude: E %;.8fd %:.7fm %;.8fs
  GPS Altitude : 174.00m
  Comment      : Aufgenommen auf dem <a href="http://www.froutes.de/TT00000014_Ars_Natura">Kunstweg Ars Natura</a>.
  ======= IPTC data: =======
  Record vers.  : 4
  Headline      : Felsburg auf dem Felsberg
  (C)Notice     : www.froutes.de
  Caption       : Aufgenommen auf dem <a href="http://www.froutes.de/TT00000014_Ars_Natura">Kunstweg Ars Natura</a>.

As you can see there's a huge amount of potentially privacy-sensitive metadata in your typical JPEG as generated by your camera (including camera type, settings, date/time, maybe even GPS coordinates of your location, etc).

You can extract the thumbnail stored in all JPEGs in the current directory with:

  $ jhead -st "&i_t.jpg" *.jpg
  Created: '3061542361_60acb0904b_o.jpg_t.jpg'

Note that the JPEG thumbnail does not necessarily show the same picture as the JPEG itself. Depending on the image manipulation software that was used to create the edited/fixed/cropped JPEG, the thumbnail may still reflect the original JPEG contents (see sample image on the right-hand side). This is a huge potential privacy issue. There have been a number of articles about this some years ago, in case you missed them:

• disLEXia: Hidden data in Document Formats
• disLEXia: EXIF Thumbnail in JPEG images (many sample JPEGs and their differing thumbnails)
• Kevin Cohen: Digital Still Camera Forensics (PDF)

Thus, an important jhead command line to know is the following, which removes all metadata (including any thumbnails) from all JPEG images in the current directory:

  $ jhead -purejpg *.jpg
  Modified: 3061542361_60acb0904b_o.jpg

As you can see the result is that only very basic information can be gathered from the file afterwards:

  $ jhead *.jpg
  File name    : 3061542361_60acb0904b_o.jpg
  File size    : 1052506 bytes
  File date    : 2008:11:26 23:38:04
  Resolution   : 3264 x 2448
  $ jhead -st "&i_t.jpg" *.jpg
  Image contains no thumbnail

I recommend doing this for most photos you make publically available on sites like flickr etc. (unless you have a good reason not to). Finally, see the jhead(1) manpage for lots more options that the tool supports.

Today seems to be Firefox/Iceweasel 3 Bashing Day on Planet Debian, so let me join the fun :)

I agree with most other people that the default Firefox/Iceweasel 3 config is not ideal, so here's what I did to fix it. Some of these items improve performance, some remove annoyances, some remove privacy issues, some remove security issues. Not everything here may be desirable for people other than me.

General

• Disable the bookmarks toolbar via "View / Toolbars / Bookmarks Toolbar", nobody needs that and we save some screen space. Remove all pre-defined bookmarks while we're at it.
• Select "View / Toolbars / Customize".
  • Add the "New Tab" button/icon right after the "Home" button. This is probably the most-used button (for me at least) and it's not available per default...
  • Click "Use Small Icons", there's no reason to waste screen space.
  • Remove the Google search bar (useless).
  • Now move all icons and the URL bar into the menu bar (I'm not kidding). After that you can disable the nagivation toolbar via "View / Toolbars / Navigation Toolbar" and save even more screen space.

Preferences

Select "Edit / Preferences".

Main:

• Select "When Iceweasel starts: Show a blank page".
• Set "Home Page" to whatever you see fit.

Tabs:

• Enable "Always show the tab bar".

Content:

• At the right-hand side of "Enable JavaScript" click "Advanced" and uncheck all checkboxes. JavaScript stuff shouldn't need to do any of those operations.
• Uncheck "Enable Java". Nobody needs this crap and it's a huge security risk.

Privacy:

• Disable "Keep my history for xyz days" completely. Huge privacy risks.
• Disable "Remember what I enter in forms and the search bar". Huge security and privacy risks, almost no gain.
• Disable "Remember what I've downloaded". Huge privacy risks.
• Uncheck "Accept third-party cookies".
• Choose "Keep until: I close Iceweasel".
• Click "Show Cookies" and remove all of them.
• Enable "Always clear my private data when I close Iceweasel". Click "Settings" and check all items. You want to purge everything when closing Iceweasel.

Security:

• On the right-hand side of "Warn me when sites try to install add-ons" click "Exceptions" and remove all exceptions.
• Disable "Tell me if the site I'm visiting is a suspected attack site". Useless crap, possibly a privacy issue.
• Disable "Tell me if the site I'm visiting is a suspected forgery". Useless crap, possibly a privacy issue.
• Disable "Remember passwords for sites". This is a huge security risk, never ever enable it!

Advanced:

• "General" tab:

  • Enable "Warn me when web sites try to redirect or reload the page".
  • Disable "Check my spelling as I type". Useless, annoying crap, which probably even impacts performance.

• "Update" tab:

  • Disable "Automatically check for updates to: Installed Add-ons".
  • Disable "Automatically check for updates to: Search Engines".
  • Select "When updates to Iceweasel are found: Ask me what I want to do".

about:config



Open a new tab, enter "about:config" as URL and hit ENTER. Click the annoying "I'll be careful, I promise!" button. Uncheck "Show this warning next time" while we're at it.

• Set browser.urlbar.matchOnlyTyped = true to disable the new, annoying "AwesomeBar" URL bar feature (which is also a huge privacy risk).
• Browser tabs are way too huge for my taste (thus only very few fit on the screen). Fix it with browser.tabs.tabMinWidth = 60 and browser.tabs.tabMaxWidth = 60 (needs a browser restart). You can even use less than 60 if you don't need any text and an icon per tab is enough for you.
• Disable the annoying, flashing auto-search stuff when you select "Tools / Add-ons / Get Add-ons": Set extentions.getAddons.showPane = false.
• Set bidi.support = 0. You'll probably never need it, so reduce the number of potential bugs and security issues by disabling it.
• Self-signed certificate handling is annoying, so fix it with: browser.ssl_override_behavior = 2 and browser.xul.error_pages.expert_bad_cert = true (thanks Pierre Habouzit).
• Set browser.tabs.closeButtons = 3 in order to prevent accidental closing of tabs (no more Close buttons on each tab, only one global Close button on the right). Yes, CTRL+Shift+T helps in case it still happens.
• Set network.prefetch-next = false to prevent random prefetching of webpages which means wasting CPU cycles and bandwidth, as well as subtle privacy and security issues.

Plugins

None. Don't even think about installing crap like the closed-source Flash player if stability or security are important to you. If you absolutely must watch YouTube videos, I recommend youtube-dl.

Extensions

Use as few as possible. Every extention may have security problems or bugs, and can negatively affect performance etc.

Pretty much the only one I use is NoScript to selectively enable JavaScript for some trusted websites (and disable it for all other sites).

Interesting paper from the PacSec 2006 security conference: OpenOffice / OpenDocument and MS Office 2007 / Open XML security (PDF)

Not too surprising when you come to think of it, there are tons of possibilities to embed various kinds of malware in the new office document formats. Also, you always have the risk of leaving sensitive metadata in there... If you publish stuff, you better convert to PDF before. But even that might leave sensitive data in the PDF, mind you!

Oh, and one nice detail you might enjoy:

• OpenDocument specification: 700 pages
• Microsoft's Open XML specification (final draft): 6036 pages!

And that doesn't even describe all of the format (e.g. VBA macros are missing)! No further comment required...

This demo is initiated and backed by a number of organizations in Germany, among others the Arbeitskreis Vorratsdatenspeicherung, Chaos Computer Club e.V., FoeBuD e.V., STOP1984, Attac AG Wissensallmende, Indymedia Germany, and the German Pirate Party.

Place: Bielefeld, Germany (exact meeting place)
Time: 15:00 o'clock on Friday, October 20, 2006
Motto: Freiheit statt Angst (Freedom instead of fear)

Goals and Demands

• Reduce the pervasive surveillance in Germany!
  No public video surveillance, no automatical face-recognition, no data retention, no RFID and biometry in passports, no "Lauschangriff" etc.
• In-depth investigations of current surveillance laws by independant organizations/experts!
  Find out how effective (or rather not!) currently implemented surveillance laws have been, and what their downsides, problems, and dangers are for democracy in Germany.
• Stop all plans for further surveillance laws!
  Any further surveillance laws, "anti-terror"- or "security"-laws must be halted immediately! Their implications are extremely dangerous for privacy and democracy in Germany!

Materials: Banners, flyers, mottos for transparents and more are available in the wiki of the site. Donations are possible and welcome, too.

Demo participants can visit the Big Brother Awards 2006 right after the demo (for free).

If you value your privacy and democracy in this country, now is the time to speak up and let the whole world (and especially the German politicians) know! This surveillance-madness has to stop!

ScatterChat is a new cross-platform IM client announced by the Cult of the Dead Cow / Hacktivismo (during the HOPE conference, it seems).

From the website:

ScatterChat is a HACKTIVIST WEAPON designed to allow non-technical human rights activists and political dissidents to communicate securely and anonymously while operating in hostile territory. It is also useful in corporate settings, or in other situations where privacy is desired.

It is a secure instant messaging client (based upon the Gaim software) that provides end-to-end encryption, integrated onion-routing with Tor, secure file transfers, and easy-to-read documentation.

Its security features include resiliency against partial compromise through perfect forward secrecy, immunity from replay attacks, and limited resistance to traffic analysis... all reinforced through a pro-actively secure design.

So the client is a "friendly-fork" of Gaim, it uses Tor to achieve anonymity, and for the crypto parts (secure messaging, secure file transfer) ScatterChat uses libgcrypt.

It's a cross-platform application available for Linux, Windows; support for other OSes is planned (Mac OS X, others).

You can always download the source code, of course, as it's free software. Actually, not quite. While ScatterChat itself is based on the GPL'd Gaim, it has to be GPL'd, too. However, the scatterchat-module package, which seems to contain the crypto-parts, is licensed under a custom "Hacktivismo Enhanced-Source Software License Agreement" (HESSLA) right now, which is so horribly long I didn't even bother reading it.

However, the README says:

I am open to the possibility of re-licensing parts of this library to GPL, BSD, public domain, or some other license. I cannot make any promises, but I will try to accomodate reasonable requests.

I'm going to do just that, email the author and ask him nicely to change the license to some sane, well-known free software license. If you feel similar, please let the author know (hint, hint). Depending on what the HESSLA really says, it might prevent ScatterChat from entering Debian, for example.

I haven't yet tried to use the application, but it sure looks like it has a lot of potential. It also seems do most security-related things right:

• it doesn't try to reinvent/reimplement its own crypto primitives (which would be doomed to fail), but rather uses libgcrypt
• it has a documented crypto protocol
• it's free software, which is a major requirement (see Kerckhoffs' principle)
• it doesn't reinvent the wheel, but rather uses Tor for anonymity (for example)
• etc. etc.

Of course that's no guarantee that it's secure; I hope some crypto-gurus look over it soon. But at least they didn't make obvious stupid mistakes we've all seen in many other pieces of software.

Anyways, I feel this is a real important project which will help lots of people (activists, political dissidents, normal people like me and you who value their privacy). Go check it out!

(via Boing Boing)