Strip PNG metadata using Ubuntu 13.11: pngcrush and optipng

PNG optimizing tools reduce size my getting rid of “extra” stuff. Some of that extra stuff is the metadata that can be used to identify who took the picture. I’m no professional metadata-remover, I just did this testing for fun.

sudo apt-get install -y pngcrush libimage-exiftool-perl
pngcrush -rem allb -brute -reduce original.png optimized.png && optipng -o7 optimized.png

pngcrush – run the pngcrush program

-rem allb – remove all extraneous data

-brute – attempt all optimization methods

-reduce – eliminate unused colors and reduce bit-depth 4

original.png – the name of the original (unoptimized) PNG file

optimized.png – the name of the new, optimized PNG file

&& – command #2 will be executed if and only if command #1 returns exit status zero

optipng – run the optipng program

-o7 – optimize the image at the highest possible level

optimized.png – the already pngcrush-optimized PNG file that will be further optimized (if possible) with optipng

Let’s test!

Here’s an image that’s CC-BY-SA from Wikipedia: http://upload.wikimedia.org/wikipedia/commons/8/89/Tenaya_Lake_Yosemite_National_Park.png

pngcrush -rem allb -brute -reduce Tenaya_Lake_Yosemite_National_Park.png Tenaya_Lake_Yosemite_National_Park2.png && optipng -o7 Tenaya_Lake_Yosemite_National_Park2.png

Then to check the metadata:

identify -verbose Tenaya_Lake_Yosemite_National_Park.png

Image: Tenaya_Lake_Yosemite_National_Park.png
Format: PNG (Portable Network Graphics)
Class: DirectClass
Geometry: 2048x1536+0+0
Resolution: 70.87x70.87
Print size: 28.898x21.6735
Units: PixelsPerCentimeter
Type: TrueColor
Endianess: Undefined
Colorspace: sRGB
Depth: 8-bit
Channel depth:
red: 8-bit
green: 8-bit
blue: 8-bit
Channel statistics:
Red:
min: 0 (0)
max: 255 (1)
mean: 111.14 (0.435842)
standard deviation: 42.8511 (0.168043)
kurtosis: 0.724192
skewness: 1.17595
Green:
min: 0 (0)
max: 255 (1)
mean: 130.885 (0.513273)
standard deviation: 38.549 (0.151173)
kurtosis: -0.384294
skewness: 0.458422
Blue:
min: 0 (0)
max: 255 (1)
mean: 155.366 (0.609278)
standard deviation: 48.5428 (0.190364)
kurtosis: -0.907909
skewness: -0.00882359
Image statistics:
Overall:
min: 0 (0)
max: 255 (1)
mean: 132.463 (0.519464)
standard deviation: 43.5073 (0.170617)
kurtosis: 0.23089
skewness: 0.637459
Rendering intent: Perceptual
Gamma: 0.454545
Chromaticity:
red primary: (0.64,0.33)
green primary: (0.3,0.6)
blue primary: (0.15,0.06)
white point: (0.3127,0.329)
Interlace: None
Background color: white
Border color: srgb(223,223,223)
Matte color: grey74
Transparent color: black
Compose: Over
Page geometry: 2048x1536+0+0
Dispose: Undefined
Iterations: 0
Compression: Zip
Orientation: Undefined
Properties:
date:create: 2014-01-15T19:41:21-08:00
date:modify: 2014-01-15T19:41:21-08:00
png:cHRM : chunk was found (see Chromaticity, above)
png:gAMA : gamma=0.45454544 (See Gamma, above)
png:iCCP : chunk was found
png:IHDR.bit_depth : 8
png:IHDR.color_type : 2 (Truecolor)
png:IHDR.interlace_method: 0 (Not interlaced)
png:IHDR.width,height : 2048, 1536
png:pHYs : x_res=7087, y_res=7087, units=1
png:sRGB : intent=0 (See Rendering intent)
signature: 4be08d8b3f54c63739c5653a38dd4f817da97114025dddaccbf7e9e533396d56
Profiles:
Profile-icc: 1352 bytes
Description: Camera RGB Profile
Manufacturer: Camera RGB Profile
Model: Camera RGB Profile
Copyright: Copyright 2003 Apple Computer Inc., all rights reserved.
Artifacts:
filename: Tenaya_Lake_Yosemite_National_Park.png
verbose: true
Tainted: False
Filesize: 4.961MB
Number pixels: 3.146M
Pixels per second: 10.49MB
User time: 0.290u
Elapsed time: 0:01.300
Version: ImageMagick 6.7.7-10 2013-09-10 Q16 http://www.imagemagick.org

And compare the optimized copy:

identify -verbose Tenaya_Lake_Yosemite_National_Park2.png

Image: Tenaya_Lake_Yosemite_National_Park2.png
Format: PNG (Portable Network Graphics)
Class: DirectClass
Geometry: 2048x1536+0+0
Resolution: 72x72
Print size: 28.4444x21.3333
Units: Undefined
Type: TrueColor
Endianess: Undefined
Colorspace: sRGB
Depth: 8-bit
Channel depth:
red: 8-bit
green: 8-bit
blue: 8-bit
Channel statistics:
Red:
min: 0 (0)
max: 255 (1)
mean: 111.14 (0.435842)
standard deviation: 42.8511 (0.168043)
kurtosis: 0.724192
skewness: 1.17595
Green:
min: 0 (0)
max: 255 (1)
mean: 130.885 (0.513273)
standard deviation: 38.549 (0.151173)
kurtosis: -0.384294
skewness: 0.458422
Blue:
min: 0 (0)
max: 255 (1)
mean: 155.366 (0.609278)
standard deviation: 48.5428 (0.190364)
kurtosis: -0.907909
skewness: -0.00882359
Image statistics:
Overall:
min: 0 (0)
max: 255 (1)
mean: 132.463 (0.519464)
standard deviation: 43.5073 (0.170617)
kurtosis: 0.23089
skewness: 0.637459
Rendering intent: Perceptual
Gamma: 0.454545
Chromaticity:
red primary: (0.64,0.33)
green primary: (0.3,0.6)
blue primary: (0.15,0.06)
white point: (0.3127,0.329)
Interlace: None
Background color: white
Border color: srgb(223,223,223)
Matte color: grey74
Transparent color: black
Compose: Over
Page geometry: 2048x1536+0+0
Dispose: Undefined
Iterations: 0
Compression: Zip
Orientation: Undefined
Properties:
date:create: 2014-01-15T19:58:34-08:00
date:modify: 2014-01-15T19:58:34-08:00
png:cHRM : chunk was found (see Chromaticity, above)
png:gAMA : gamma=0.45454544 (See Gamma, above)
png:IHDR.bit_depth : 8
png:IHDR.color_type : 2 (Truecolor)
png:IHDR.interlace_method: 0 (Not interlaced)
png:IHDR.width,height : 2048, 1536
png:sRGB : intent=0 (See Rendering intent)
signature: 4be08d8b3f54c63739c5653a38dd4f817da97114025dddaccbf7e9e533396d56
Artifacts:
filename: Tenaya_Lake_Yosemite_National_Park2.png
verbose: true
Tainted: False
Filesize: 4.454MB
Number pixels: 3.146M
Pixels per second: 14.98MB
User time: 0.210u
Elapsed time: 0:01.209
Version: ImageMagick 6.7.7-10 2013-09-10 Q16 http://www.imagemagick.org

Advertisements

Setting up OpenVPN Access Server for Ubuntu 13.11

About OpenVPN Access Server: https://openvpn.net/index.php/access-server/overview.html. I use OpenVPN-AS to self-host a really easy to use VPN for Windows, Linux, and Android devices.

Access Server release notes for 2.0.3: http://openvpn.net/index.php/access-server/download-openvpn-as-sw/532-release-notes-v200.html

on the server side:

sudo apt-get install openvpn bridge-utils openvpn-blacklist
openvpn --version

You should get (or later): “OpenVPN 2.3.2 x86_64-pc-linux-gnu”.

Check to verify that you will be downloading and installing the latest version of OpenVPN-AS by visiting this page and selecting your OS: https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

wget http://swupdate.openvpn.org/as/openvpn-as-2.0.3-Ubuntu13.amd64.deb
sudo dpkg -i openvpn-as-2.0.3-Ubuntu13.amd_64.deb

I use Ubuntu’s “Uncomplicated Firewall” (https://help.ubuntu.com/community/UFW) to mange my server-side iptables firewall. I added a rule to allow incoming TCP traffic over port 1194.

sudo ufw allow 1194/tcp
sudo ufw reload

Create a user on your server that won’t have administrative rights, that you’ll use to access your VPN:

sudo adduser ovpnuser

then on the client side:

Unfortunately, at the time of writing, “.ovpn” files are not supported through the gnome GUI as described here: http://askubuntu.com/questions/187511/how-can-i-use-a-ovpn-file-with-network-manager. So you will have to connect via command-line.

  1. Go to https://your_static_ip:1194 in your web browser.
  2. Log in with the above user credentials that you created.
  3. Click: “Yourself (user-locked profile)” to download the “client.ovpn” file.
  4. Open a terminal window and enter:
sudo openvpn --config /home/your_user/Downloads/client.ovpn

5. Verify that you’re using your remote IP address: http://ipchicken.com/

Ubuntu 13.11 + ZFS / raidz2 Samba share

These are the steps that I took and what works for me. I hope it helps someone else. Configure the RAID controller as either JBOD or as each HDD being an independent RAID-0 logical volume. Then install Ubuntu server 13.11 x64 with OpenSSH and Samba.

sudo add-apt-repository ppa:zfs-native/stable
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install ubuntu-zfs python-software-properties
dmesg | grep ZFS
sudo vim /etc/modules

(add the following…)

spl
zavl
znvpair
zunicode
zcommon
zfs

(then run…)

sudo update-initramfs -u
sudo reboot
sudo zpool status
sudo zpool create zfsshare raidz2 /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf -f
sudo zfs list
sudo zfs create zfsshare/backup
sudo zpool status
sudo vim /etc/samba/smb.conf

(configured smb.conf…)

sudo zfs set sharesmb=on zfsshare/backup
sudo chmod 0777 /zfsshare/backup
sudo service samba restart
sudo zfs get sharesmb,sharenfs
sudo zfs set compression=lz4 zfsshare/backup
sudo zdb -b zfsshare
sudo zfs set dedup=on zfsshare/backup

(after copying SQL .bak files, etc, to the share…)

ls -alh /zfsshare/backup/
sudo zfs get compressratio zfsshare/backup
sudo zfs get all |grep comp

Setup Nagios 4.02 in Ubuntu 12.04 LTS

Install Ubuntu 12.04, dist-update, install openssh-server. Then as root:

apt-get install -y vim apache2 libapache2-mod-php5 build-essential libgd2-xpm-dev libssl-dev sendmail-bin sendmail heirloom-mailx wget curl daemon apt-file libnet-snmp-perl libperl5.14 libpq5 libradius1 libsensors4 libsnmp-base libsnmp15 libtalloc2 libtdb1 libwbclient0 samba-common samba-common-bin smbclient snmp whois libmysqlclient15-dev && groupadd -g 3000 nagios && groupadd -g 3001 nagcmd && useradd -u 3000 -g nagios -G nagcmd -d /usr/local/nagios -c 'Nagios Admin' nagios && adduser www-data nagcmd && mkdir -p /var/www/nagios && cd /opt && wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-4.0.2.tar.gz && tar xf nagios-4.0.2.tar.gz && cd nagios-4.0.2 && mkdir -p /usr/local/nagios/share/{stylesheets,images} && ./configure --prefix=/usr/local/nagios --with-nagios-user=nagios --with-nagios-group=nagios --with-command-user=nagios --with-command-group=nagcmd && make all && make install && make install-init && make install-config && make install-commandmode && make install-webconf && make install-exfoliation && mkdir -p /usr/local/nagios/nagios-plugins && cd /usr/local/nagios/nagios-plugins && wget https://www.nagios-plugins.org/download/nagios-plugins-1.5.tar.gz && tar -xf nagios-plugins-1.5.tar.gz && cd nagios-plugins-1.5 && ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl=/usr/bin/openssl --enable-perl-modules --enable-libtap && make && make install && mkdir -p /usr/local/nagios/nrpe && cd /usr/local/nagios/nrpe && wget http://kent.dl.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz && tar -xf nrpe-2.15.tar.gz && cd nrpe-2.15 && ./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu && make all && make install && cd && rm /etc/init.d/nagios && vim /etc/init/nagios.conf

# Nagios 4.02
# by Remy Van Elst at https://raymii.org/s/tutorials/Nagios_Core_4_Installation_on_Ubuntu_12.04.html
description "nagios monitoring system"
start on virtual-filesystems
stop on runlevel [06]
respawn
respawn limit 5 30
limit nofile 65550 65550
chdir /usr/local/nagios/
setuid nagios
setgid nagios
console log
script
exec bin/nagios etc/nagios.cfg
end script

sudo initctl reload-configuration && vim /etc/apache2/httpd.conf

ScriptAlias /nagios/cgi-bin /usr/local/nagios/sbin
<Directory "/usr/local/nagios/sbin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
Alias /nagios /usr/local/nagios/share
<Directory "/usr/local/nagios/share">
AllowOverride None
Options None
Order allow,deny
Allow from all

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
chown nagios:nagcmd /usr/local/nagios/etc/htpasswd.users && service apache2 restart && start nagios

Very special thank yous:

Encryption for journalists #TA3M

Techno activism

Techno-Activism Third Mondays (TA3M) is an informal meetup designed to connect software creators and software users who are interested in learning or teaching about censorship, surveillance, and various open source technologies for personal computing devices of all kinds. The New York based OpenITP nonprofit is the organization behind starting TA3M in December 2012, with New York, San Francisco and Berlin hosting their first TA3M events in January of 2013. Currently, TA3M events are held in at least 20 cities throughout the world, with many more launching every month.

Seattle hosted its first TA3M event in August 2013. In our November event, 35 people were in attendance to partake in presentations about Geeks Without Bounds involvement, Tor software development, and Tor use on personal computing devices.

Seattle journalists

For December’s TA3M in Seattle, I’ll be presenting on the use of specific open source encrypted communications applications for mobile and personal computing devices. The target audience for my presentation will be for people brand new to using these encryption-optional chat tools, but for people generally familiar with instant messaging platforms.

  • ChatSecure for Android and iOS, by The Guardian Project
  • Orbot for Android, by The Guardian Project
  • Pidgin for Windows, OSX, and Linux

The rough draft of my presentation can be found here.

Tentative event schedule here.

If you are planning to attend this free and open-to-the-public event, and have any questions that technical people such as me can help answer for you, please post questions in the comment section of this post.

 

ChatSecure Tutorial for #TA3M

This post is made for Seattle’s Techno-Activism 3rd Mondays (#TA3M) event on December 16, 2013. For details about the event, stay tuned by this wiki page: https://wiki.openitp.org/events:techno-activism_3rd_mondays:seattle

In my presentation I’ll be demonstrating how to use The Guardian Project‘s mobile device application ChatSecure (Android) (iOS), which is a tool for people wanting to keep their text-based conversations private and secure. To demonstrate at #TA3M, I will be using my HTC cell phone and a Windows laptop. My phone will be pre-configured to use ChatSecure, but I’ll install and configure Pidgin and pidgin-otr on my laptop since I’ll have access to a projector. I’ll start the presentation by running through this blog post and its screenshots, but will integrate the Pidgin demonstration once I get to the contact management and OTR initialization screenshots.

Please comment on this post or Tweet at me if you have any feedback.

 

Creative Commons License
This blog post (ChatSecure Tutorial for #TA3M by Christopher Sheats) is licensed under a Creative Commons Attribution 3.0 Unported License. You are free to copy and remix it without restriction.

ta3m

Install ChatSecure. I installed it from the Google Play Store.

15

Open the ChatSecure application.
15

Set a strong password that you can remember. This password is set to protect access to ChatSecure, in case your phone is stolen or compromised. This is an added layer of protection so that adversaries cannot access your past communications or pretend to be you and have conversations with your contacts.
15
15
15

Add an account. For demonstration purposes and ease-of-use, I’ve opted to use my Gmail address. Using a Google account will likely be the lease private means of private conversation. Keep in mind that Google and the NSA will own the metadata of your chats, including:

  1. The fact that you are using the internet (time stamp)
  2. The fact that you are signing in and out of Google (time stamp)
  3. The fact that you are conversing with a specific person (contact and time stamps)

Also keep in mind that when using Off The Record (OTR) messaging, Google and the NSA will not be able to have the information contained in your conversation, since it will be encrypted.

15
15

XMPP and ZeroConf are alternative messaging architectures that may allow you greater privacy if used correctly. Be sure to research what chat protocol is best for you and the risks that you face.
15
15
15

Connecting to Google via the Tor anonymity network is recommended to protect your physical location’s metadata and for ensuring private transit. However, be aware that if you’re using a cell phone, your cell service provider knows where you are, and if the NSA needed to find out where you were during an OTR conversation, could compare the time stamps that Google and your cell service provider have.

Selecting this check box will bring up a dialogue to install Orbot (Android) if you do not already have it installed.
15
15
15

Install Orbot.
15

Open Orbot.
15

Select your language.
15

Read and click through the dialogue.
15
15

If you have not rooted your Android, you will not be able to use Orbot’s advanced functionality. But for the purpose of using ChatSecure and other applications designed to work with Orbot, you are going to be able to utilize the Tor network.
15
15

It looks like Orbot hasn’t been updated to advertise ChatSecure by its new name–formerly Gibberbot.
15
15

Press and hold the ‘power’ icon in the center to start your Tor connection.
15

Orbot will begin connecting to the Tor network automatically.
15
15
15

Now you’re connected to Tor and your ChatSecure application will route its communication through Tor.
15

Sign into your Google account (similar to Google Hangouts).
15

Select the three-vertical-box icon to access Settings.
15
15

Select Chat Encryption.
15

Require encryption for your ChatSecure/OTR conversations.
15

You may need to add a contact.
15

Enter the email or account address of the person whom you wish to converse with.
15

Select the person whom you wish to converse with.
15

Say hello! Keep in mind that the padlock at the top of the screen is not locked. This “hello” will be in cleartext.
15
15
15

Select the padlock to start the encryption (OTR) initialization process. The person with whom you are chatting with must have an OTR-compatible client, ideally the same version of the same software, or at least up-to-date OTR-compatible application, like Pidgin for PC, Mac, and Linux.
15

Your ChatSecure conversation is now encrypted using OTR; however, because the question mark in the padlock is yellow, it is indicating that the person with whom you are chatting with is not verified.
15

Select the padlock again to Verify the person (ID) whom you are chatting with.
15

Ideally you will select Question in order to answer a question for which you and the person whom you are privately conversing with know the answer to. This helps verify that you’re talking to the right person. You should also verify the ‘public key fingerprint‘. For the purpose and ease-of-use for this presentation, I manually approved the identity.
15

Verify the prints!!! and inform the person with whom you’re speaking of yours!!!
15

Now that you have verified the identity of the person with whom you are conversing, ChatSecure changed the padlock icon from a yellow question mark to a purple check.
15

Notice that because OTR (end-to-end encryption) is functioning and the person on the other end is verified, the text that is sent and received from now on also uses the purple padlock.
15
15

By default, ChatSecure will not store your conversation on your mobile device. So when you close a chat window and start a new session, you will have no chat history.
15

This is an example of what “information” Google and the NSA see from your OTR conversation. Privacy rules!
15

DISCLAIMER: The above public key finger prints are not my actual prints. These screenshots are only for the purposes of my demonstration.

Get Tomb 1.4 up and running on Ubuntu 13.10

Tomb is an excellent command line tool for maintaining encrypted files. Tomb files can be stored on an Internet-facing server so that they can be accessed from anywhere in the world using any SSH client. An adversary would have to compromise said server, gain administrative privileges, and brute force the Tombs (if they have the key files) in order to recover the contents of said Tombs. Someone that is more “at risk” than me should invoke an air gap between the Internet and their Tombs. Managing your Tomb’s key files is a different matter that I’ll discuss later.

Read about Tomb here: http://www.dyne.org/software/tomb/

Download Tomb onto your Ubuntu server.

wget https://files.dyne.org/.xsend.php?file=tomb/releases/Tomb-1.4.tar.gz

Rename the downloaded file.

mv .xsend.php?file=tomb%2Freleases%2FTomb-1.4.tar.gz Tomb-1.4.tar.gz

Download the SHA hash/checksum file.

wget https://files.dyne.org/tomb/releases/Tomb-1.4.tar.gz.sha

View the Tomb tar file’s SHA hash.

cat Tomb-1.4.tar.gz.sha

2621ac6b9180321e69743dc899645449b2b958c6aa46e4b2601c2e89131bbf29  Tomb-1.4.tar.gz

View the Tomb tar file’s SHA checksum and compare it to the above hash–if they’re the same, continue with installation.

sha256sum Tomb-1.4.tar.gz

2621ac6b9180321e69743dc899645449b2b958c6aa46e4b2601c2e89131bbf29  Tomb-1.4.tar.gz

Unzip the Tomb tar file.

sudo tar -zxvf Tomb-1.4.tar.gz

Change into the newly created Tomb Directory.

cd Tomb-1.4/

Install Tomb.

sudo make install

Check that Tomb installed by checking its version.

tomb -v

Tomb 1.4 – a strong and gentle undertaker for your secrets

Copyright (C) 2007-2013 Dyne.org Foundation, License GNU GPL v3+
This is free software: you are free to change and redistribute it
The latest Tomb sourcecode is published on
This source code is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Please refer to the GNU Public License for more details.

System utils:

Sudo version 1.8.6p3
cryptsetup 1.4.3
pinentry-gtk2 0.8.1
gpg (GnuPG) 1.4.14 – key forging algorithms (GnuPG symmetric ciphers):
IDEA 3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH CAMELLIA128 CAMELLIA192 CAMELLIA256

Be sure to “shred” your Tombs or Tomb key files if you ever want to move them or delete them. If you’re moving your files, copy them first then shred the unwanted files. Do not simply move them.

sudo shred -f -v -z -u tomb.tomb.key