Quick guide to making your Mac safe

Well now that we don’t have privacy, here’s a quick review of what to do to harden your Mac:

  1. Install 1Password using Dropbox because it’s a pain to remember all the passwords.
  2. Turn on System Preferences/Security & Privacy/FileVault. This encrypts your hard disk, so in evil hands, they at least need your password.
  3. Turn on System Preferences/Security & Privacy/Firewall. This keeps some of the bad things out
  4. Download and install Sophos for Home a free antivirus package
  5. Download and install Adguard to keep ads out. You can uninstall individual browser pieces, but if you do not want a system level thing, then use uBlock Origins.
  6. Download and install DNSCrypt to make your DNS queries private
  7. Download and install Private Internet Access
  8. Make Startpage your search engine on your browser to mask your queries

From Vi to Atom Vim-Mode

OK, I admit it I mainly use Vi for editing mainly because it is just so fast to edit things from the keyboard. You don’t ever need to leave the keyboard when moving around. It is arcane and terrible yet, I actually got running (thanks syntactic) an coding environment that let’s you lint and then run through javascript and python code.

But there has to be something newer, I’ve tried sublime and I’ve tried slickedit, but I was looking for something more new age. What the heck, I saw Dean ask on Facebook and atom came up quite a lot, so now I’m trying to figure out how to use it. First some great things:

  1. Type atom foo.txt actually works from the command line. Seems like a small thing, but nice to CMD-W and then get back to the terminal window. Turns out that like Emacs and other modeless editors, Atom does have some big keys like CTRL-SHIFT-W to select a word, so eventually I’ll memorize those instead of yW 🙂
  2. There is a vim mode so I can still use my favorite keys, although you still can’t those fancy g/test/s//foo/g commands at least I haven’t found out how. I normally do this way more than graphical edits.
  3. They have a zillion packages and a nice apm modeled after npm to manage it.

Unifi Tips and Tricks

I’ve got now five homes where I’m helping folks run their networks. Unifi is pretty awesome because you can configure the AP at home and then take it to someone and it is completely configured for them. It is so unlikely that a regular human can figure out the access point systems, so it is better to preconfigure and then wrap it up.

The UniFi software is pretty weird and hard to figure out. Here are the tips:

  1. You download a UniFi console and it becomes the center. All Access points connect to a single computer. They will operate on their own, but they are linked to that computer. Even if this is just a laptop, the good news is that you can configure and if they can’t find that console they just keep running.
  2. The UniFi console is actually an application that runs on socket 8443, so you use a web browser (Chrome seems to work best) to use it. So when you start, you get a small little box that says, launch browser
  3. The application itself is pretty confusing. The upper right has the “Site” id. The idea is that each site has a different layout.
  4. You need to click on the upper right click the + sign and then you create one. Deleting one is really confusing because there is no delete button instead when you go to a Site, you click on the setting icon on the lower left as a gear icon and then you will see delete at the bottom.
  5. Finally within each site, you can setup a network group. You can attach any number of Wifi networks against any site. So for instance, if you have a work network set and a home network set then you can have multiple sites with just work, just home or both.
  6. Finally the APs themselves are linux boxes, they have an ssh port and have a single password set against them. You need to store this in 1Password or somewhere because that is how you get in to reprovision the APs.
  7. And when you want to use another laptop, you need to make sure that you have done a backup which creates a INF file and you can use that to restore the whole setup.

Ad Blockers for Safari

Well with privacy always under assault, besides a VPN, you need an Adblocker and tracking masker. Here are some choices:

  1. Ublock Origins. This isn’t regular Ublock (which isn’t developed anymore), but a new fork that has a Safari build.
  2. Adguard is another one which gets good user reviews

Then the ones that are questionable as they leak information:

  1. Ghostery. They sell your information apparently
  2. Adblock Plus. The one that is the most popular but they let ads through as it’s their business model.

Another question is what about tracking blockers. Well things like Ghostery seem superfluous if you have an Adblock.

Then if you are a power geek, installed JS Blocker, then you get to block specific chunks of Javascript.

Protecting your Privacy from your ISP

Now that there are no limits for ISPs on reselling your personal browsing and other information. What can a person do. Well the easy things are:

  1. Buy a VPN. You need a reputable one. I’ve used Private Internet Access for years and they seem pretty reliable. The main issue is that with iPhones as you traverse networks, the application gets confused and you have to toggle on and off. Also the Mac application can get hung and not allow any connections at all and requires a reboot. Most of the time, though it works fine. Another service we’ve used is ExpressVPN. This one seems to confuse the Mac local networking though, so you can’t see any of your devices. Also beware that on an iPhone it makes it looks like you are always on Wifi, so unless you have an unlimited plan, it is pretty unusable on an iPhone.
  2. Install on all your devices. This is the painful part because it has to be up and going on all your mobile devices.
  3. Install on your router. You should see if this is possible, but some routers allow you to setup a connection from there. The main issue is that if this gets hung, you have to know how to unwedge it.
  4. Install 1Blocker and other Ad Blockers. Not really really related to this, but it is a good idea.
  5. Install opennicproject.org DNS servers, these nasty ISPs track your DNS requests, so you have to spoof that too. If you are on a VPN, this is automatically done, but you have to do this for all your machines as well for those times when you are not on a VPN. DNSCrypt is a tool that you can use for this and it works pretty well although Cisco bought DNSCrypt so who knows how long that will last.

Chevrolet Bolt Oddities

Well, if you are a Chevy Bolt owner and wonder what all those parameters mean, here’s a little bit of a decoder ring (it is incredible in this day and age that even with all that infotainment, there isn’t a simple thing like a Tooltip to tell you what a setting means), but fortunately there are forums:

  1. Hilltop Reserve. I had mistakenly thought this had something to do with hill climbing, but it is incredibly misnamed. What it means is that if you live at the top of a monster hill, the thing will only charge to 90%, so that as you coast downhill you will get more free charge. Now doing that math, this would be a 6kWh hill, so you in other words, it had better be an hour down hill. The side benefit is that it only charges the battery to 90% which helps long term battery life. Just remember to turn this off when you are going on a long, long trip and need the extra 10% (about 24 miles).
  2. Android Auto. Man this is a strange mode, it doesn’t seem to work with Nexus 5X with the latest Android. Not clear why, I wish these modes had some debugging. Also, it make it strange to have the something that has to switch and when you click on it, it detects the phone and then asks if you should switch. Isn’t it obvious if I’ve plugged it in?
  3. Apple CarPlay. What a strange implementation. There is no obvious way to go to the home of the overall system. You just have hit the hard HOME key or go through the Energy system to find it. Plus if you want to open up a non-CarPlay application, Siri refuses to do it even thought it works just fine.

Best Ad Blockers and Private VPNs

Now that there is no more privacy in the US (because ISPs can freely resell all your access information). Here is what you can do to protect yourself:

  1. Get a VPN. There are many that are not so reputable, but Private Internet Access and ExpressVPN seem at least more reputable. You have to load them on each of your computers and mobile devices and they are a bit of a pain, but do mask where you are coming from.
  2. Opennicproject.org. You can use a private DNS server as well. ISPs can see what you are accessing from your DNS queries, so you do not want to use an ISP or carrier CNS.
  3. Finally get an ad blocker so that at least some of the data is hidden.

This probably a lost cause, but might as well make it a bit harder for people to track everything that you do.

Using GSuite with Bluehost to reduce Spam

Well, if I have frustrated by all that horrible spam and Bluehost have been great but even with Spam Experts and Spam Assassin, we still get way more spam. I originally just wanted to make Gsuite just filter messages and send them back to Bluehost for deliver, it turns out that this is actually impossible. You can try to do split delivery for instance, but this doesn’t quit work instead, the best and cheapest thing to do is to have Bluehost send mail to Gsuite which then filters it and then forwards it to personal Gmail accounts. Pretty cool but hard to figure out. In the personal accounts, you set each to reply-to the Bluehost account and it all works, you get nice Gmail interfaces but can use the vanity domain without having to have a Gsuite account for each.

Getting started with Gsuite

Here are the steps:

  1. Sign up for Gsuite with your private domain.
  2. Logon to Gsuite with one account, you will have to validate your account by sticking things into the CNAME or something like that.
  3. You need to setup the right CNAME record and the right MX Records
  4. Then use the Admin Console with Customized URL to ghs.googlehosted.com
  5. Because you don’t want to pay $5/month for each user, you can forward vanity accounts to existing (and free gmail accounts).

Debug the host

First thing is to know how to debug all this mail routing is to setup things properly in the User Settings area. Note that this conflicts with the later Routing setting, so you want to leave this as clean as possible, so here is how to debug.

  1. Gsuite has a Reports/Email Log Search, this will let you know if mail was received externally and where it went. Mainly this will tell you it went into the mail pipeline which is a good thing.
  2. It will also tell you if it thought it was spam.
  3. Make sure to disable catchall so that unrecognized mail from routing works. This is in Gsuite > Apps > Gmail > User Settings > Email Routing and choose discard to make sure you get how the routing works. If you have catchall, then non of the rules will ever work because all mail is recognized and sent to your catchall, so make sure this is reset.
  4. If you try to use your box***.bluehost.com:587 this is for delivery from a client, so needs authentication, use port 25 instead as this is the standard SMTP port for mail server to mail server delivery. You should use the default name for bluehost which is typically, mail.yourdomain.com and port 25. However, there is a problem in that Bluehost will either deliver locally (if it detects that the lowest MX record is a local system) or it will only deliver remotely. It does seem that it is impossible to have Google first get the mail and then redeliver to local accounts. That’s too bad as it would be really convenient.

Debugging to make sure the Gsuite and Bluehost mail flow

  1. Add a rule as noted below, then see how the message is routed. So to test routing to your old domain, create a new host (see below) and then create a router rule which is “All recipients ” that and make sure “unrecognized addresses” is checked down below, this will route all unrecognized emails (e.g. without gmail accounts) to the downstream host, so you can check to see if the host works ok.
  2. In our case, this didn’t work because submitting to port 587 to bluehost.com resulted in an SMTP authentication required message and an NDR gets sent back, but it works on port 25
  3. Use the Gsuite > Reports > Email Search to figure out how routing works
  4. Now you can use the Bluehost trace email to see how mail is sent.

Having Gmail forward mail

Since you can’t have bluehost reprocess mail once it hits your vanity domain, your main option is to use Gmail routing to forward mail. This isn’t split delivery, but really forwarding. It is not really obvious how to make it work, so here goes:

  1. Add the Hosts above and make sure that works
  2. In the Gsuite > Apps > Gmail > Advanced Settings > Default Routing, add the route for each forward like by checking, Routing is Normal (so it will go into the dead letter box in your Gsuite) and then add Additional Delivery and type in some other address like some privatemail@gmail.com so people can use a personal and free gmail account.
  3. Also note that if you edit the current Default routing, you get a spurious there is an error editing, try again later it actually does work, but you have to hit refresh at least in Safari to see it.

More details on how routing works

The most confusing thing is how to support all of this without having to buy a $5/month mailbox for everyone. That makes sense for a company but not a vanity domain. Here are some solutions for routing messages. Note that right now GSuite seems to hang under Safari, so use Chrome:

  1. Split delivery. This is the right enterprise way to do this, first set up a route to the old mail server `Appsand thenG Suiteand thenGmailand thenAdvanced settings > Hosts >Add Host`. Make sure you use TLS and port for security. Then go to Apps > G Suite > Gmail > Advanced Routing > Inbound  Routing and then Change default routing route so those addresses can go back to the legacy server assuming your old host mail. Then you get all the spam filtering but end-users don’t have to change anything!
  2. For remapping in the local system. Then to Apps/G Suite /Settings for Gmail /Advanced settings/Recipient Address Map to fix things which seems to reroute messages, but it looks like it doesn’t work moving off server, so you can’t just point it at an arbitrary email address so only works internally.
  3. You can also do this at the individual user level with aliasing, so one account can respond to rich in addition to any other names.

Some strange things

  1. Conflicting accounts. There is a strange issue where you can have an organizational account called foo@tongfamily.com and a personal one called foo@tongfamily.com. I actually had this problem when creating the Gsuite identity. So I had to create a fake admin name and then delete it once I could create the new identity.
  2. The only what that seems to work is to create a group and allow outside accounts to be part of the group. Like another gmail address. This works well in those cases where users are already using their vanity name (like rich@tongfamily.com as their google authentication, because google won’t deliver is there is a name collision). Then you connect it to the outside account. This is a little clunky because you need this extra group, but it is nice because any end user can do it and you do not need admin privileges. In this case you can have lots of folks use free personal gmail accounts, but they get routed mail via the vanity domain. They can also set reply-as in the personal gmail so it looks like they are using the  vanity domain.
  3. Finally there is a difference between unrecognized addresses that is addresses where there is no Gmail address. However, beware that if you turn on catch-all address to get all the mail then all addresses are recognized. So normally you do not want this on.

Protecting yourself from Spam with Magic DNS Records

The main way is to use special DNS records to limit things:

  1. SPF. The sender policy framework is set by a TXT record which tells the mail server which domains can send mail to their SMTP server. For instance, if you say v=spf1 include:bluehost.com this means that only servers from the bluehost.com domain can send mail from that domains SMTP servers.
  2. Setup DKIM to  digitally signs the outgoing message headers so that other servers can detect spam that is falsely written as coming from your servers. You just need to generate a DKIM record in Gmail > Advanced Settings > DKIM and add it as a TXT record in the DNS server. SPF tells other servers what mail servers can send for your domain. That is, sometimes the mail is both forged (fixed with DKIM) and comes from some other mail server (fixed by SPF). You can merge SPFs, so for instance you can use bluehost and Gsuite together using SPF syntax you basically concatenate it all.
  3. DMARC is another TXT record that tells recipient mail servers what do to with mail that comes addressed from your domain. For instance, you can say (as eBay does) that any mail that doesn’t have DKIM on it should be rejected.