f-log

just another web log

28 Jun 2015:
Pebble Time does not dissapoint
As gift from my family for reaching a mile stone age I got to pre-order the Pebble Time smart watch from Kickstarter.

It arrived last Friday and I am pleased to say that the battery has not needed recharging once(though it is now at 10%). This thing is pretty amazing in a number of areas.

Choice of colours: I like not having a plain black or Apple white watch.
pebble time watch with red strap and case, contains two images watch front and back

Choice of watch faces: I was blown away at the news that Apple would not support different faces on their much more expensive device. There are hundreds of completely free faces from analogue to digital to fire to Batman to weather to just about anything you can think of.
pebble time watch showing two watch faces, fire and enigma

Openness: Not only can you develop your own watch faces free of charge, but you can also develop apps that hook into websites/services and phone apps. And on top of that, they offer a full free online IDE to develop in that includes emulators of all Pebble devices links to Github and a deploy to device option. These watch faces and apps can be developed in C or JavaScript, but I have found the JS support lacking as it is still in Beta. Here is a 3D "game" that you control with the accelerometer and my Magic 8 Ball app.
pebble time watch showing two watch apps, 3D arena and Magic 8 Ball(JS Beta)

Integration: Notifications from the phone(Android Lollipop) appear on the watch. Including twitter, SMS texts, app updates and incoming calls. This is all done via an app that is free to install from Pebble that connects via Bluetooth. Incoming calls can easily be dismissed without retrieving your phone and SMS's can be replied to via the voice to text, template or smilie options.

There is so much else to talk about, like it's 30m water resistant and it tells you weather forecasts and calendar appointments, oh and the really soft watch strap, the colour e-ink display...

I have been telling people for years that I do not need a watch, but I am really loving this. Especially the ability to make the device do what ever I want. Though saying that, it is now the new "shiny" distracting my for current projects.
28 Jun 2015:
kidsspot tail denied madness and bad regex
I forgot to note my favourite command for monitoring the failed connections through the kidsspot proxy.

sudo tail -n 20 -f /var/log/squid3/access.log | egrep TCP_DENIED

Which just monitors the access file filtering for the TCP_DENIED messages.

Here is my current white list (updated from the last post)
www\.jumpstation\.co\.uk
download\.windowsupdate\.com
\.microsoft\.com
.*\.bbci?\.co\.uk
.{3}\.gamib\..{3}
www\.friv\.com
www\.msftncsi\.com
funo\.com
textadventures\.co\.uk
www\.startssl\.com/sfsca\.crl
crl\.globalsign\.net/root\.crl
update\.videolan\.org
.*\.mathletics\.co\.uk
.*\.mathletics\.com\.?a?u?
.*\.mymaths\.co\.uk
.*\.3plearning\.com


Have to remember these are regular expression so "." is an character and ".*\." is any number of characters(including zero) followed by a period.
27 Jun 2015:
kids happy with kidsspot but not https
So the kidsspot wifi experiment is going well. Any kick back from the kids regarding whats available can be met with "it's better than nothing", which they seem happy with. Plus I am more that willing to added new sites as we find them.

Here is my current white list
www\.jumpstation\.co\.uk
download\.windowsupdate\.com
\.microsoft\.com
.*\.bbci?\.co\.uk
.{3}\.gamib\..{3}
www\.friv\.com
www\.msftncsi\.com
funo.com
textadventures.co.uk
www.startssl.com/sfsca.crl
crl.globalsign.net/root.crl
update.videolan.org


I really should add a black list so I can filter out bbc.co.uk/news but as there are no links to it and Google does not work... Job for another day.

FYI I recommend textadventures.co.uk for kids to create there own text adventures. You can add images and it is really accessible, watch the example video.

The bad news is I keep coming across HTTPS sites e.g. textadventures.co.uk wants you to log in to save games(luckily) it has a download-able application). It would be nice to let the kids use Google even if they can not follow any of the links.

SSL/HTTPS support is supposed to be straight forward(not quick and easy but also not impossible to set up), but I keep hearing about companies hardening HTTPS so that the kind of attack(yep, that what this would be) need to offer HTTPS via a transparent proxy would not be possible. Another job to add to my list.
02 Jun 2015:
kidsspot a raspberry pi wifi hotspot for kids
I managed to nab some out-of-date laptops from work that were destined for the skip, with the proviso that I remove the hard disks for destruction. I had no idea how complicated removing drives from different laptop models was.

The kids demand http://www.friv.com on a regular basis. How can I set the laptops up so that they can visit just that site(and a few others)?

Raspberry Pi to rescue! I can set the Pi up as a WiFi hot-spot which routes all traffic through a transparent proxy. What is a "transparent proxy"? Simply put, a proxy that operates on the clients behalf without the clients having to know about it(zero setup).

So laptop1 will connect to WiFi access point "kidsspot" and every browser(and other internet request) will go to the Pi. The Pi will push all the traffic requests through a filter, so only what is allowed gets access to the internets[sic].

!WARNING! !WARNING! This type of kid control is considered !BAD!

What? Why?

Children should be chaperoned while on the internet at all times rather than being restricted. However, as I am not creating a "black list" of all the sites I do not want them to visit but, instead creating a "white list" of all the sites I do want them to visit, I think I can get away with it. There are some more notes about the ethics and other bits at the end of this post.

As with all great tutorials I have borrowed heavily from giants before me.

Equipment list:
Raspberry Pi + power supply(good quality) + SD card(Raspbian installed)
WiFi USB dongle(that works with the Pi)
Ethernet cable(with some internet)
Target computer with WiFi hardware.

The first job is to get the Pi to work as a WiFi hot-spot. Follow the steps at http://www.makeuseof.com/tag/build-your-own-safeplug-tor-proxy-box/ up until the "Install Tor" bit.

A couple of things to watch out for

Generating /etc/default/isc-dhcp-server...
[....] Starting ISC DHCP server: dhcpd[....] check syslog for diagnost[FAIL... failed!
failed!
invoke-rc.d: initscript isc-dhcp-server, action "start" failed.


that was worrying. But as I read further down the post that was expected, doh!

so many steps! but they were all straight forward, if you ignore the screen shot for /etc/network/interfaces
(it shows    up iptables-restore < /etc/iptables.ipv4.nat     which is added much later)

DHCP did not work until I had changed /etc/default/ifplugd to
INTERFACES="eth0"
HOTPLUG_INTERFACES="eth0"

and rebooted(which is noted in the cat tutorial which I reference next)

At this point you can connect to your hot-spot and get an IP address and have full access to the internet!


Now for the filtering.

I used http://www.makeuseof.com/tag/how-to-make-a-wifi-network-that-only-transmits-cat-pictures-with-a-raspberry-pi/ as a start but, it seems a bit out of date so I recommend only using it as reference. I will try and recreate all the necessary steps here.

sudo apt-get install squid3 bridge-utils apache2 perl
nano iptables.sh
(you can also use vi like a real hacker!)

and paste in
#!/bin/bash
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -p TCP --dport 443 -j REJECT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.42.1:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

and save it.

Set the permissions and copy the file where we can run it as a service
chmod +x iptables.sh
sudo cp iptables.sh /etc/init.d/
sudo update-rc.d iptables.sh start 99


comment the /etc/network/interfaces file so it looks like this.
auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0

#up iptables-restore < /etc/iptables.ipv4.nat


Now to get the proxy locked down. For starters we will just allow access to my web site http://www.jumpstation.co.uk

echo www.jumpstation.co.uk >> /home/pi/allowed-sites.squid

then set that up in the squid config file /etc/squid3/squid.conf

acl GoodSites dstdomain "/home/pi/allowed-sites.squid"
http_access allow GoodSites


I totally agree the /etc/squid3/squid.conf is hell on earth if all you want to do is make minor adjustments. Either battle through it or try the burn-and-clear option in the cat tutorial http://www.makeuseof.com/tag/how-to-make-a-wifi-network-that-only-transmits-cat-pictures-with-a-raspberry-pi/
The key thing to note is that the file is read sequentially, so at the end of all the default "acl" statements I added my GoodSites one and then before all the default http_access command I added mine so it would override the others.

One final change while we are in /etc/squid3/squid.conf
change
http_port 3128
to
http_port 3128 transparent

Then reboot the Pi and try and connect.

You should find http://www.jumpsatation.co.uk works but http://slsushi.co.uk is blocked!

oops! where is the coin animation on my home page? ah, it's trying to load the jQuery library from a Google CDN address. You will see this a lot, you allow one domain to work and find that it relies on another. Luckily it is easy to see what is getting blocked.
sudo tail -f /var/log/squid3/access.log | egrep DENIED
Will show you in real time what is getting blocked(CTRL+C to exit). Then you can update your /home/pi/allowed-sites.squid and restart Squid with
sudo service squid3 restart

Some final notes about kidsspot(not to be confused with any other company or service with same name).

Lots of sites are going HTTPS only, so unblocking www.google.com does not help because it redirects to https://www.google.com
(I am not looking at the issue of HTTPS today, maybe later, currently all HTTPS traffic is blocked in the iptables.sh file.
If you need to bypass the proxy you can add an exclusion based on IP address, or just plugin an ethernet cable.

To exclude the ip adddress of 192.168.42.10 from the proxy filtering add
acl permittedips src 192.168.42.10
and
http_access allow permittedips
to the relevent places in the /etc/squid3/squid.conf and restart the service.
sudo service squid3 restart

(this does not get around the HTTPS blocking in iptables)

Although I have not tried it you can set rules based on times, so the kids can not surf at midnight.

My use of the /home/pi/allowed-sites.squid does work but I found it better to change the /etc/squid3/squid.conf reference from
acl GoodSites dstdomain "/home/pi/allowed-sites.squid"
to
acl GoodSites url_regex -i "/home/pi/allowed-sites.squid"

So it treats each entry as a regular expression(case insensitive) and then you can do things like
bbci?\.co\.uk
Where the "i" is optional and the "."s are escaped, otherwise the regex www.site.com matches wwwPsite5com.net

!WARNING! !WARNING! this is not supposed to be fool-proof, there are ways around this type of blocking, though they are not trivial and usually require additional internet based servers. As my kids do not own any internet servers(that I know about) I think I am pretty safe.

Speaking of "safe", does this block all viruses and malware? No, but it would only be if your chosen white-listed sites were hacked and hosting viruses/malware that your users could get infected.

Job done, kids are happy, time to relax.
loading results, please wait loading animateloading animateloading animate
[More tags]
rss feed

email

root

flog archives


Disclaimer: This page is by me for me, if you are not me then please be aware of the following
I am not responsible for anything that works or does not work including files and pages made available at www.jumpstation.co.uk I am also not responsible for any information(or what you or others do with it) available at www.jumpstation.co.uk In fact I'm not responsible for anything ever, so there!

[Pay4Foss banner long]