Exotic Securityhttps://xo.tc/2021-08-05T08:00:00+08:00Migrating to GitHub Pages2021-08-05T08:00:00+08:002021-08-05T08:00:00+08:00Michael Van Delfttag:xo.tc,2021-08-05:/migrating-to-github-pages.html<p>Over the last few years I have not been updating this blog, it's for all the usual reasons to do with time and commitments. Along with that, I'd gotten pretty lax about patching the server it was running on. It had Debian <a href="https://xo.tc/automatic-updates-for-debian.html">unattended upgrades</a> switched on, but really I should …</p><p>Over the last few years I have not been updating this blog, it's for all the usual reasons to do with time and commitments. Along with that, I'd gotten pretty lax about patching the server it was running on. It had Debian <a href="https://xo.tc/automatic-updates-for-debian.html">unattended upgrades</a> switched on, but really I should have been taking more care of it. </p>
<p>I think it's irresponsible to leave an unmaintained server running on the internet and so over the last weekend I've migrated everything to <a href="https://pages.github.com/">GitHub Pages</a>. I've been using <a href="https://blog.getpelican.com/">Pelican</a> to generate HTML from markdown for the site so uploading that into a git repo was pretty seamless.</p>
<p>It does mean I can't run this site <a href="https://xo.tc/alternative-networks-for-this-site-tor.html">as a .onion site</a> any more, that was a fun experiment while it lasted but again it's not something that I was activity maintaining.</p>How to mount a VHD file on linux2018-11-15T08:00:00+08:002018-11-15T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-11-15:/how-to-mount-a-vhd-file-on-linux.html<h2>How to do it</h2>
<p>Install <a href="http://libguestfs.org/">libguestfs</a></p>
<p>For <strong>Debian and Ubuntu</strong> this is pretty easy</p>
<div class="highlight"><pre><span></span><code><span class="n">sudo</span> <span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">libguestfs</span><span class="o">-</span><span class="n">tools</span>
</code></pre></div>
<p>For <strong>Red Hat, Centos, Fedora</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">sudo</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">libguestfs</span><span class="o">-</span><span class="n">tools</span>
</code></pre></div>
<p>For <strong>Arch Linux</strong> (my distro of choice) you need to install 3 packages from the AUR</p>
<div class="highlight"><pre><span></span><code>git clone https://aur …</code></pre></div><h2>How to do it</h2>
<p>Install <a href="http://libguestfs.org/">libguestfs</a></p>
<p>For <strong>Debian and Ubuntu</strong> this is pretty easy</p>
<div class="highlight"><pre><span></span><code><span class="n">sudo</span> <span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">libguestfs</span><span class="o">-</span><span class="n">tools</span>
</code></pre></div>
<p>For <strong>Red Hat, Centos, Fedora</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">sudo</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">libguestfs</span><span class="o">-</span><span class="n">tools</span>
</code></pre></div>
<p>For <strong>Arch Linux</strong> (my distro of choice) you need to install 3 packages from the AUR</p>
<div class="highlight"><pre><span></span><code>git clone https://aur.archlinux.org/hivex.git
git clone https://aur.archlinux.org/perl-sys-virt.git
git clone https://aur.archlinux.org/libguestfs.git
cd hivex
makepkg -si
cd ../perl-sys-virt
makepkg -si
cd ../libguestfs
makepkg -si
</code></pre></div>
<p>Once you have libguestfs as a normal user (not root / sudo) run guestmount</p>
<div class="highlight"><pre><span></span><code>guestmount --add old_server_backup.vhd --ro /mnt/vhd/ -m /dev/sda1
</code></pre></div>
<ul>
<li><code>--add</code> option is for the image you want to access</li>
<li><code>--ro</code> sets to read only, alternatively you could use <code>--rw</code> for read / write</li>
<li><code>/mnt/vhd</code> the path where you want to mount the drive</li>
<li><code>-m /dev/sda1</code> specify which partition within the .vhd file you want to mount. </li>
</ul>
<p>Enjoy :-)</p>
<h2>My Rant</h2>
<p>So I recently had to mount a backup of an old VM that was saved as a .vhd file and so I googled "How to mount a VHD on Linux" and the first result that came up was a Ubuntu forumns post where someone had asked the question and the top reply was someone else telling that person to go off and use a search engine. Followed by a link to Stack Overflow which didn't actually answer the question.</p>
<p>Some support forums and Stack Overflow in particular can be quite toxic to new comers (and even toxic to experienced veterans) and it's very infuriating when the top result on google is someone being told to just search google for the answer.</p>
<p>I know it can be annoying when simple questions come up over an over again but at the very least try to link to a useful article and if possible quote the relevant bit.</p>
<p>Anyway I hope my instructions saved someone the frustration that I went through.</p>Wordfence reivew2018-11-08T08:00:00+08:002018-11-08T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-11-08:/wordfence-reivew.html<p><strong>TLDR:</strong> I tried the free version, I like it.</p>
<p>Amongst other things I do in my day job, I administer a WordPress site. We had a security audit and one of the findings was that our site was misconfigured to show a different failure message for a login when the …</p><p><strong>TLDR:</strong> I tried the free version, I like it.</p>
<p>Amongst other things I do in my day job, I administer a WordPress site. We had a security audit and one of the findings was that our site was misconfigured to show a different failure message for a login when the username exists to when it doesn't. This allows for user enumeration which makes brute-forcing easier because you don't waste time trying to brute force accounts which don't exist.</p>
<p>My first thought was that the auditors had made a mistake, we were running very vanilla WordPress on the latest version and I thought surely that's something the WordPress team would have patched if it was an issue with the default install.</p>
<p>It turns out I was wrong, I couldn't find any definitive statement from the WordPress team but it seems they don't think user enumeration is an issue<sup id="fnref:not-an-issue"><a class="footnote-ref" href="#fn:not-an-issue">1</a></sup>. Along with different log in prompts, there are several other places in WordPress that leak usernames such as appending <code>?author=1</code> to the URL of the site.</p>
<p>So I went looking for a way looking for a way to patch that and found <a href="https://www.wordfence.com/">Wordfence</a>.</p>
<p>After installing it I checked the password failure message and that was fixed. Then I started looking through some of the other features and was impressed with the brute force protection, they have sensible defaults and fairly good metrics.</p>
<p>I also saw they had a scanner which checks the integrity of the WordPress core files which is a good idea.</p>
<p>The plugin can also provide two-factor authentication which is a great idea but that's a paid feature.</p>
<p>Over all, I'd say it's a good plugin and I will be installing it on any WordPress sites I'm responsible for in the future.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:not-an-issue">
<p>To be clear, this is not an unreasonable view to hold. It's more of an information disclosure than a real security threat. It really depends on what type of site you are running as to how serious this is. <a class="footnote-backref" href="#fnref:not-an-issue" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>The right to repair2018-11-01T08:00:00+08:002018-11-01T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-11-01:/the-right-to-repair.html<p><a href="https://www.ifixit.com/Manifesto"><img alt="Self Repair Manifesto" src="https://xo.tc/images/self_repair_manifesto_en_final.jpg"></a>
<em>The Self Repari Manifesto by iFixit</em></p>
<p>Recently a mate of mine blogged about how <a href="https://bscable.info/macbooks-can-only-be-repaired-by-apple-technicians/">Macbooks can only be repaired by apple technicians</a>. This is a story that sort of passed me by but it's becoming increasing common.</p>
<p>I wouldn't have got into IT or learnt anywhere near as much as …</p><p><a href="https://www.ifixit.com/Manifesto"><img alt="Self Repair Manifesto" src="https://xo.tc/images/self_repair_manifesto_en_final.jpg"></a>
<em>The Self Repari Manifesto by iFixit</em></p>
<p>Recently a mate of mine blogged about how <a href="https://bscable.info/macbooks-can-only-be-repaired-by-apple-technicians/">Macbooks can only be repaired by apple technicians</a>. This is a story that sort of passed me by but it's becoming increasing common.</p>
<p>I wouldn't have got into IT or learnt anywhere near as much as I have if I hadn't been able to tinker with things. I'm a tinkerer by nature and that's how I learn.</p>
<p>It seems many companies now days are going out of their way to make it hard to open up their product and understand how things works. This isn't just Macbooks, it's everything from lawnmowers to electronic doorbells.</p>My predictions about autonomous vehicles2018-10-25T08:00:00+08:002018-10-25T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-10-25:/my-predictions-about-autonomous-vehicles.html<p>No one can predict the future, so I'm going to try. Maybe it will be fun to come back to this post in 10 years and see how laughably wrong I was.</p>
<h2>Traffic will become less hectic, not more</h2>
<p>CGP Grey posted a great video <a href="https://youtu.be/iHzzSao6ypE">The Simple Solution to Traffic …</a></p><p>No one can predict the future, so I'm going to try. Maybe it will be fun to come back to this post in 10 years and see how laughably wrong I was.</p>
<h2>Traffic will become less hectic, not more</h2>
<p>CGP Grey posted a great video <a href="https://youtu.be/iHzzSao6ypE">The Simple Solution to Traffic</a> which shows cars <a href="https://youtu.be/iHzzSao6ypE?t=3m51s">weaving in and out</a> at rates that would only be possible with self-driving cars that all know what everyone else will do.</p>
<p>But I don't believe we will ever get to this level of automation. Or at least not for an incredibly long time, I see three problems standing in the way of this:
* <strong>Cooperation</strong> - Will Ford cars talk to Toyota and Tesla talk to Chevy?
* <strong>Security</strong> - Let's say we get cross-vendor communication going, how do we secure that communication so you don't get bored hackers jamming up traffic.
* <strong>Other things on the road</strong> - The biggest blockers I see is other stuff on the road. That person who still wants to drive their vintage <a href="https://en.wikipedia.org/wiki/Ford_Model_T">Ford Model T</a> and even if we passed a law to ban all non-autonomous vehicles, what about cars that have broken down or that little kid who ran onto the road chasing their ball.</p>
<p>From what I've read current autonomous cars feel like being in a car with an overly cautious driver and I expect that trend to continue.</p>
<h2>Private ownership of vehicles will end</h2>
<p>This isn't really my theory, I stole it from a talk by <a href="https://www.youtube.com/watch?v=0op6Wucdv7E">Paul Fenwick</a>.</p>
<p>If you buy a self-driving car and it drops you off at work in the morning, why pay for parking in the city? why even drive it home and park it there? Why not put it to work doing taxi rides while you're at work? as long as it's back to pick you up in the afternoon you might as well make a profit from it while you're not using it.</p>
<p>But then if you extend that if your car is spending more time working as a taxi than being used by you, why not always rent a corporate-owned car when you need it and not need to deal with maintenance and insurance and such.</p>
<h2>Cars will chain together like trucks with trailers</h2>
<p>Achieving something between a bus and a car I can imagine cars that have tow bars on the front and the back and will link up. If four cars are going in the same general route why not link them until they need to split up, it saves on fuel. It might not quite achieve the crazy traffic mentioned above but would act much as trucks and buses do in current traffic.</p>
<h2>My kids will never learn to driver</h2>
<p>I don't have kids yet, but I am optimistic about timelines and I'd like to believe I'll be able to take an autonomous taxi ride within the next 10 years.</p>
<h2>Paid parking lots will be a thing of the past</h2>
<p>I guess this might be an obvious one, but why pay for parking at work or at the airport when you can just get the car to drop you off and drive away.</p>The internet reaction threshold2018-10-18T08:00:00+08:002018-10-18T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-10-18:/the-internet-reaction-threshold.html<p><img alt="Internet Reaction Threshold" src="https://xo.tc/images/internet-reaction-threshold.png"></p>
<p>I've noticed a lot of the sites I hang out on are getting more an more vitriolic, there are lots of theories about why this is and I'd like to add the Internet Reaction Threshold to the mix.</p>
<p>Say someone posts a controversial video to YouTube. I like <a href="https://www.youtube.com/watch?v=LeoklwonIMQ">one</a> by …</p><p><img alt="Internet Reaction Threshold" src="https://xo.tc/images/internet-reaction-threshold.png"></p>
<p>I've noticed a lot of the sites I hang out on are getting more an more vitriolic, there are lots of theories about why this is and I'd like to add the Internet Reaction Threshold to the mix.</p>
<p>Say someone posts a controversial video to YouTube. I like <a href="https://www.youtube.com/watch?v=LeoklwonIMQ">one</a> by Matt Gray and Tom Scott where Tom presents the idea that lettuce is just used as a cheap filler vegetable as a wildly controversial view and the later in the video says "<a href="https://youtu.be/LeoklwonIMQ?t=2m58s">kids are basically small little tornados of destruction</a>" as though it's just an accepted fact.</p>
<p>Let's go with the lettuce thing although if it helps you feel free to mentally replace "lettuce" with anything that's genuinely controversial, guns, abortion, systemd, politics, whatever.</p>
<p>Say someone posts a video about lettuce, 95% of the people watching will either agree or disagree but can't be bothered adding their comment. It takes a lot of effort to write "Sure, I prefer spinach, but lettuce is cheaper and easier to grow, I guess it's all down to what your willing to pay for, let's all get along." and if people don't care that much they just go off and watch the next cat video.</p>
<p>Only the people with really strong feelings will take the time to comment, and so the comment thread becomes polarised.</p>
<p>The Internet Reaction Threshold coupled with the fact that posts which get the most reactions are promoted creates a horrible feedback loop. People who post neutral feelings about lettuce don't get as much attention as those who are super-pro-lettuce or super-anti-lettuce.</p>
<hr>
<p>Graph made with <a href="http://xkcdgraphs.com/">xkcdgraphs</a>.</p>What is yak shaving?2018-10-11T08:00:00+08:002018-10-11T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-10-11:/what-is-yak-shaving.html<p>I know things like the <a href="http://catb.org/jargon/html/">Jargon File</a> exist, but I'm having fun writing this.</p>
<p>There is a gif from Malcolm in the Middle that's been floating around the internet for years that explains Yak Shaving better than I ever could.</p>
<p><img alt="Yak Shaving" src="https://xo.tc/images/yackshaving-lightbulb.gif"></p>
<p>It's basically when you need a series of often trivial …</p><p>I know things like the <a href="http://catb.org/jargon/html/">Jargon File</a> exist, but I'm having fun writing this.</p>
<p>There is a gif from Malcolm in the Middle that's been floating around the internet for years that explains Yak Shaving better than I ever could.</p>
<p><img alt="Yak Shaving" src="https://xo.tc/images/yackshaving-lightbulb.gif"></p>
<p>It's basically when you need a series of often trivial things before you can do your main goal. The way it was explained to me was:</p>
<p>Your friend asks you to restore a WordPress site onto their server, it should take 5 minutes to do so you say sure.</p>
<ul>
<li>You want to restore WordPress from a backup</li>
<li>but to do that you need to update their PHP</li>
<li>but to do that you need to fix a broken dependency on an old PHP package</li>
<li>but to do that you need a library that has to be compiled from source</li>
<li>but to do that you need to install a GCC</li>
<li>but to do that you need to fix an issue with their apt-get</li>
<li>but to do that you need to schedule a reboot</li>
<li>but to do that you need to ...</li>
<li>...</li>
<li>...</li>
<li>but to do <em>that</em> you need to hike to the top of a Tibetan mountain and shave the hair off a Yak.</li>
</ul>
<p><a href="https://commons.wikimedia.org/wiki/File:Bos_grunniens_at_Yundrok_Yumtso_Lake.jpg"><img alt="Tibetan Yak" src="https://xo.tc/images/Bos_grunniens_at_Yundrok_Yumtso_Lake.jpg"></a></p>What is bikeshedding?2018-10-04T08:00:00+08:002018-10-04T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-10-04:/what-is-bikeshedding.html<p>If you have spent much time hanging out on technical email lists or forums you might have come across the term "bikesheding" essentially it means to spend time talking about the little details which everyone has an opinion on and to some degree ignoring the important things.</p>
<p>It comes from …</p><p>If you have spent much time hanging out on technical email lists or forums you might have come across the term "bikesheding" essentially it means to spend time talking about the little details which everyone has an opinion on and to some degree ignoring the important things.</p>
<p>It comes from a book called <a href="https://books.google.com/books/about/Parkinson_s_Law_Or_the_Pursuit_of_Progre.html?id=zcSqQwAACAAJ">Parkinson's Law: Or the Pursuit of Progress</a> which is responsible for many economic theories but in particular the <a href="https://en.wikipedia.org/wiki/Law_of_triviality">Law of triviality</a> which talks about a committee approving a massive nuclear power plant and none of them really understand nuclear reactors so they approve it without comment.</p>
<p>But when it comes time to build the bike shed at the power plant for the employees to park their bikes everyone has an opinion on what material it should be made from, wood, fiberglass, tin and what colour the shed should be painted and so that gets discussed for hours.</p>
<p>Recently one of the technologists I admire most, Guido van Rossum, the inventor of Python <a href="https://lwn.net/Articles/759654/">stepped down</a> after a change to the Python language that was made <a href="https://lwn.net/Articles/757713/">particularly difficult</a> by the fact that everyone had an opinion. It was ultimately a fairly small change, but very controversial.</p>
<p>I've been in meetings about websites I'm working on where I've thought, I don't really like that font, or I don't really like that particular shade of red. But I've held my tongue because I know that if I start the conversation, everyone will have an opinion about the colour scheme. The thing is, as long as the colours are not so bad that they will cause accessibility issues, it's far more important to focus on content and functionality.</p>People will ignore warnings that were wrong in the past.2018-09-27T08:00:00+08:002018-09-27T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-09-27:/people-will-ignore-warnings-that-were-wrong-in-the-past.html<p>This is basically a <a href="https://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf">boy who cried wolf</a> story.</p>
<p>I was recently on a road trip through Newfoundland in Canada, and as we were driving along. I was driving and I saw a sign that said construction ahead. Followed by a sign warning that the speed limit would soon change …</p><p>This is basically a <a href="https://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf">boy who cried wolf</a> story.</p>
<p>I was recently on a road trip through Newfoundland in Canada, and as we were driving along. I was driving and I saw a sign that said construction ahead. Followed by a sign warning that the speed limit would soon change to 50 kph. That was closely followed by a sign that said up to $1,500 fine for speeding in a construction area.</p>
<p>I didn't want to get a $1,500 fine so I dutifully slowed down from 100 kph to 50 ... Yes, I was <em>that</em> guy with a string of cars behind me. After about 2 or 3 km with not a single sign of construction, I passed a "construction ends" sign and speed up again.</p>
<p>We changed drivers a few times along the trip and went through several more "construction zones" which didn't have the slightest sign of construction and eventually began to just ignore them like everyone else was doing.</p>
<p>Then sometime after the 30th zone we suddenly came across a bunch of people working on the road and had to brake sharply because we weren't expecting them.</p>
<p>It's the same with things like SSL warning messages, I've lost count of the number of times I've seen SSL warning messages when connecting to wireless networks which have captive portals. I know that it's not because they are trying to man-in-the-middle my banking details, but they are trying to redirect me to their site so I can agree to their terms and conditions.</p>
<p>Accepting that captive portals are a thing that won't go away, Android and Firefox on Linux have a solution where they try to reach out known site over HTTP and if the connection gets redirected then they pop up with a little warning message that says "This network requires a sign in..." and takes the user to the sign in page.</p>
<p>I assume other OS and Browsers have similar features. While I wish captive portals didn't exist, I also accept they are not going away. A little "sign in" pop up is better than training people to click through SSL warnings whenever they connect to an open wireless network.</p>The one-time pad is not a perfect cipher2018-09-20T08:00:00+08:002018-09-20T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-09-20:/the-one-time-pad-is-not-a-perfect-cipher.html<p>A little bit of knowledge is a dangerous thing.</p>
<p>This will come as no surprise to professional cryptographers but it's a mistake that I see armature cryptographers make over and over again.</p>
<p>When you do crypto 101 you learn that one-time pad provides "Perfect Secrecy" and that it's provably secure …</p><p>A little bit of knowledge is a dangerous thing.</p>
<p>This will come as no surprise to professional cryptographers but it's a mistake that I see armature cryptographers make over and over again.</p>
<p>When you do crypto 101 you learn that one-time pad provides "Perfect Secrecy" and that it's provably secure, it's mathematically impossible to break it.</p>
<p>But while the one time pad provides perfect <strong>secrecy</strong> it does <em>not provide</em> <strong>integrity</strong>. It is therefore vulnerable to a known plaintext attack.</p>
<p>If you know what the message is, you can change it without the change being detected. Consider the following scenario;</p>
<p>In the army Alice has a messenger boy called Malroy who she suspects of being a spy, she wants to send the message to Bob, the General of the army, but she can't trust her messenger. So she writes the message "Execute Malroy Immediately" encrypts it with the one time pad she has shared with Bob and hands Malroy his own (encrypted) death warrant.</p>
<p>As it happens Alice was right, Malroy was a spy and as it happens he knows what the message says and decides he wants to change it to "Promote Malroy Immediately"</p>
<p>Malroy can simply xor "Execute Malroy Immediately" with "Promote Malroy Immediately" and then xor that with the encrypted message to change its continence.</p>
<p>That might seem like a contrived example, and to a degree it is. But known plaintext attacks are a real problem and crop up more often than you might expect. There was a recent <a href="https://alter-attack.net/#active">attack on LTE</a> which was using AES-CTR which also doesn't provide authenticated encryption. The cryptographers figured out where in the packet the IP address of the DNS server was and they could inject the IP address of their own DNS server without breaking the encryption, and then use their own DNS server to get man-in-the-middle access to phones.</p>A simple hack to get around VPN IP conflicts2018-09-13T08:00:00+08:002018-09-13T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-09-13:/a-simple-hack-to-get-around-vpn-ip-conflicts.html<div class="highlight"><pre><span></span><code>sudo ip route add 192.168.1.2 dev ppp0
</code></pre></div>
<p>Recently my Aunty had some problems with her backup software at her business and asked if I could help. I could connect in to their VPN but their network was on the <code>192.168.1.1/24</code> subnet and I …</p><div class="highlight"><pre><span></span><code>sudo ip route add 192.168.1.2 dev ppp0
</code></pre></div>
<p>Recently my Aunty had some problems with her backup software at her business and asked if I could help. I could connect in to their VPN but their network was on the <code>192.168.1.1/24</code> subnet and I was on a hotel WiFi that was also on the <code>192.168.1.1/24</code> subnet.</p>
<p>The best solution would be to change the subnets, but I couldn't really ask the hotel to change their network and my Aunty wasn't about to change either.</p>
<p>There are some ways you can make it work with DNS and NAT but that's a lot of work to set up and I really just wanted to access one server quickly.</p>
<p>Instead in Linux you can use the ip command to tell it that you want to route packets via a specific interface so I was able to force all packets for <code>192.168.1.2</code> over the VPN.</p>
<div class="highlight"><pre><span></span><code>sudo ip route add 192.168.1.2 dev ppp0
</code></pre></div>
<p>I was able to access the server and fix the backups. It's not a good long term solution because it will break other things, but it's a neat little hack that can get you out of a pinch.</p>Rediscovering F-Droid2018-09-06T08:00:00+08:002018-09-06T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-09-06:/rediscovering-f-droid.html<p>I recently bought a Nokia 6.1 and I've been <a href="https://xo.tc/nokia-61-review.html">Loving it</a> but it's running stock Android and one of the best ways to secure your Android device is to not install random apps that you don't trust, and especially not to install untrusted apps that didn't come from the …</p><p>I recently bought a Nokia 6.1 and I've been <a href="https://xo.tc/nokia-61-review.html">Loving it</a> but it's running stock Android and one of the best ways to secure your Android device is to not install random apps that you don't trust, and especially not to install untrusted apps that didn't come from the Google Play store.</p>
<p>On my old Samsung Galaxy S4, I ran Lineage OS (previously CyanogenMod). On my Nexus 6P it was a mix, so on my Nokia 6.1, I tried to just use to Play Store for a while. However, I trust the F-Droid store and I wanted a couple of apps that are not in the Play Store so I installed it.</p>
<p>I'm not sure when Android made the change<sup id="fnref:change"><a class="footnote-ref" href="#fn:change">1</a></sup> but now instead of having a single "Allow unknown apps" switch in the settings, there is one per App, so when I downloaded the F-Droid APK I was asked to allow Firefox to install unknown apps.</p>
<p><img alt="Android Firefox untrusted apps" src="https://xo.tc/images/firefox-install-untrusted-apps.png"></p>
<p>Then after that, I was asked to allow F-Droid to install untrusted apps. Once I'd allowed that I went back and removed the permission from Firefox:</p>
<p>Long press on Firefox icon > App Info (Drag it to the top) > Install unknown apps (scroll to the bottom)</p>
<p>Now I've got the F-Droid store on there I'm much happier, they have updated the <abbr title="User Interface">UI</abbr> and it's much cleaner, but more importantly, the F-Droid store just has much less horrible junk apps.</p>
<p>Very, very few of the Apps in the F-Droid store contain advertisements, and fewer still contain in-app purchases.</p>
<p>The official Google Play store is filled with ad-supported apps and it provides almost no way to filter them, for example, I'd love a search function where you could restrict it to only Apps that don't have ads and don't push in-app purchases.</p>
<p>A classic example is when you search for "Flashlight" the top result that comes up contains both ads, and in-app purchases.</p>
<p><img alt="Flashlight with ads" src="https://xo.tc/images/flashlight-ads.png"></p>
<p>and on top of that, it requires access to:</p>
<ul>
<li>Location<ul>
<li>approximate location (network-based)</li>
<li>precise location (GPS and network-based)</li>
</ul>
</li>
<li>Photos / Media / Files<ul>
<li>read the contents of your USB storage</li>
</ul>
</li>
<li>Storage<ul>
<li>read the contents of your USB storage</li>
</ul>
</li>
<li>Camera<ul>
<li>take pictures and videos</li>
</ul>
</li>
<li>Other<ul>
<li>view network connections</li>
<li>full network access</li>
<li>control vibration</li>
</ul>
</li>
</ul>
<p>That's a lot of permissions for something that's just going to switch the LED light on and off.</p>
<p>As a counterexample when you search "Flashlight" in the F-Droid the <a href="https://f-droid.org/en/packages/com.simplemobiletools.flashlight/">first result</a> that comes up has no ads or in-app purchases and only needs camera<sup id="fnref:camera"><a class="footnote-ref" href="#fn:camera">2</a></sup> and flashlight permissions which seems reasonable.</p>
<p>For a while I toyed with the idea of creating a web crawler and indexing the Play Store to create a site which provides advanced search of apps on the Play Store to filter out the junk but that seems like a lot of work to build and maintain for very little gain when the F-Droid store contains a great repository of nicely curated open source apps.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:change">
<p>I suspect it was between Android 7.0 Nougat and Android 8.0 Oreo. <a class="footnote-backref" href="#fnref:change" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:camera">
<p>From what I can tell the camera permission is needed because some builds of Android won't allow access to the LED without camera access. <a class="footnote-backref" href="#fnref:camera" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Making #FFFFFF brighter2018-08-30T08:00:00+08:002018-08-30T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-08-30:/making-ffffff-brighter.html<p>Years ago I used to occasionally read a site called "Clients from hell" basically a page where people (generally freelance graphic designers) could post funny stories about horrible clients and misunderstandings.</p>
<p>Generally, the stories went along the lines of:<br>
<strong>Client</strong>: I want you to do X work for me.<br>
<strong>Freelance …</strong></p><p>Years ago I used to occasionally read a site called "Clients from hell" basically a page where people (generally freelance graphic designers) could post funny stories about horrible clients and misunderstandings.</p>
<p>Generally, the stories went along the lines of:<br>
<strong>Client</strong>: I want you to do X work for me.<br>
<strong>Freelance graphic designer</strong>: Sure that will cost Y dollars.<br>
<strong>Client</strong>: Oh, I didn't think I'd have to pay you for that, it's just pictures and stuff. </p>
<p>or the ever popular misunderstandings of how technology works<br>
<strong>Freelance web designer</strong>: I've updated the site with the changes you wanted.<br>
<strong>Client</strong>: Really? Because the paper copy I printed out last week hasn't changed. </p>
<p>However there was one story that came up over and over that always annoyed me, it runs along the lines of;<br>
<strong>Client</strong>: Can you make X thing brighter?<br>
<strong>Freelance graphic designer</strong>: No, it's #FFFFFF, it's impossible, it is as bright as it can be.<br>
<strong>Client</strong>: Please, just a little brighter would make it look better.<br>
<strong>Freelance graphic designer</strong>: <em>changes nothing</em> ... Sure there you go, it's brighter now.<br>
<strong>Client</strong>: Ok, thanks.<br>
<strong>Freelance graphic designer</strong>: <em>Posts on Clients from Hell about how dumb the client is.</em>* </p>
<p>The thing is, it's not the client that's at fault there, it's the designer.</p>
<p>I'm sure many people would have seen the <a href="https://en.wikipedia.org/wiki/Checker_shadow_illusion">checker shadow illusion</a> before.</p>
<p><img alt="checker shadow illusion" src="https://xo.tc/images/grey-square-optical-illusion.png"></p>
<p>for those of you that haven't, the squares A and B are the same colour. This can be verified by using your favourite image editing tool or even with Firefox press F12, select the eyedropper tool and you will see they are both #787877</p>
<p><img alt="Firefox eyedropper tool" src="https://xo.tc/images/firefox-eyedropper-tool.png"></p>
<p>When the client is saying "Make it brighter" what they probably mean is "Make it <em>appear</em> brighter" and as a graphic designer, it's their job to explain that maybe we can make the background darker and that will make the foreground look brighter.</p>
<p>It's the same in IT security, our job as professionals to interpret what the client is asking for. When a client asks for "A website that's impossible to hack" as a security professional, you can't guarantee there will never be any 0 day in Apache or Nginx or whatever you use. But you can explain to the client that maybe what they are really looking for is a static website hosted on GitHub or whatever is appropriate for their situation.</p>Nokia 6.1 Review2018-08-23T08:00:00+08:002018-08-23T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-08-23:/nokia-61-review.html<h2>TLDR</h2>
<p>I bought a Nokia 6.1, I've used it for 3 months, I think it's brilliant. My wife's old phone needed replacing, I was so happy with my phone that I suggested she get a Nokia 6.1 too.</p>
<h2>Some context</h2>
<p>In May 2018 I bought a Nokia 6 …</p><h2>TLDR</h2>
<p>I bought a Nokia 6.1, I've used it for 3 months, I think it's brilliant. My wife's old phone needed replacing, I was so happy with my phone that I suggested she get a Nokia 6.1 too.</p>
<h2>Some context</h2>
<p>In May 2018 I bought a Nokia 6.1 because my Nexus 6P died. I managed to get the 64GB storage / 4GB RAM / Dual Sim version for just $300 AUD. So it's a mid-range priced phone, it's less than a third of the price of the latest iPhone or Google Pixel which each retail for over $1,000 AUD in Australia.</p>
<p>The thing is despite being a technology enthusiast who runs Arch Linux to get the latest and greatest I'm actually quite minimalist. Both on my phone and my laptop I only install the packages I need and despise bloat.</p>
<p>As such I wanted to get a phone that ran <a href="https://www.android.com/one/">Android One</a> so I would get as close to the stock Android experience as possible without all the vendor bloat. I remember when I got my Samsung Galaxy S4, it came from Telstra (Australia's largest telco) and came pre-installed with about 30 junk apps like the "AFL Footie scores" or the "Samsung Store" and "Crayon Physics" which could not be removed until I wiped the whole phone and put on CyanogenMod.</p>
<p>Similarly, as a security professional, I wanted a phone that was guaranteed to receive regular security updates for at least two years<sup id="fnref:guaranteed"><a class="footnote-ref" href="#fn:guaranteed">1</a></sup>. Again that meant a phone that was in the <a href="https://www.android.com/one/">Android One</a> program.</p>
<p>Lastly with new phones that come out each year, for the last 5 years or more there has really been nothing other than a <a href="https://xo.tc/fingerprint-readers-on-phones.html">Fingerprint reader</a> that I've thought was a huge improvement.</p>
<p>Every year it's the same black glass brick with no buttons. Maybe this year's model has rounded corners and last year's had square, or maybe this year's phone's CPU is 5~10% faster or has a little more ram, or has slightly more pixels, slightly better battery life or whatever. But it's always just a small improvement over last year's phone. In fact, storage on most phones went down for a while, I had a Nokia N81 in 2007 with 8GB of storage. Later I got a Nokia N97 which had 32GB storage with an SD card slot which is better than many phones sold today.</p>
<p>I don't play fancy games that need great 3D graphics or lots of CPU/RAM.</p>
<p>What I'm saying is that I'm very happy with a low-end phone.</p>
<h2>The actual review</h2>
<p>In for what I need the Nokia 6.1 is if anything overkill. It's very snappy, all the apps open quickly, I've never noticed any lag, the one game I do play on my phone <a href="http://supercell.com/en/games/clashofclans/">Clash of Clans</a> run smoothly without a hitch.</p>
<p>The camera could be a little better in low light conditions but it's still pretty good. Below are a few pictures taken on the Nokia 6.1, I have not added any filters or post-processing to correct the colours. Click on them to see the full picture with no metadata removed.<sup id="fnref:metadata"><a class="footnote-ref" href="#fn:metadata">2</a></sup></p>
<p><a href="https://xo.tc/images/nokia-6-1-atacama-full.jpg"><img alt="Atacama Desert photo on Nokia 6.1" src="https://xo.tc/images/nokia-6-1-atacama-small.jpg"></a></p>
<p><a href="https://xo.tc/images/nokia-6-1-salta-full.jpg"><img alt="Salta photo on Nokia 6.1" src="https://xo.tc/images/nokia-6-1-salta-small.jpg"></a></p>
<p><a href="https://xo.tc/images/nokia-6-1-sunset-full.jpg"><img alt="Sunset from a moving bus on Nokia 6.1" src="https://xo.tc/images/nokia-6-1-sunset-small.jpg"></a></p>
<p><a href="https://xo.tc/images/nokia-6-1-sherborne-church-full.jpg"><img alt="Church in Sherborne, UK on a Nokia 6.1" src="https://xo.tc/images/nokia-6-1-sherborne-church-small.jpg"></a></p>
<p><em>In fairness, I've picked some of the best pictures, there were a lot of bad ones too, but it shows what can be done</em></p>
<p>Physically it feels very solid. Some of the low-end phones can feel very plasticy (and there was some story about bending iPhones) but the Nokia 6.1 feels great. I've dropped my phone on cement and stone a few times (without a case) and it hasn't even scratched yet.</p>
<p>The battery life is good, constant heavy uses playing games and watch movies on a plane with the screen on full brightness it lasts about 12~13 hours, if left in my pocket and just used to take the occasional photo or send WhatsApp messages I can easily go 48 hours or more on a single charge.</p>
<p>The fingerprint reader is good but not quite as good as the one on my old Nexus 6P, occasionally I've needed to try a few times to unlock the phone especially with sweaty hands.</p>
<p>From a software and security point of view, it's outstanding. As I've mentioned above it is part of the <a href="https://www.android.com/one/">Android One</a> program. Which means it gets security patches over the air every month and stays on the latest patch level. So far I've got the patches within a week or so of them being released.</p>
<p>I only have two complaints one is that the battery is not replaceable so when it inevitably wears out I will need to get a whole new phone.</p>
<p>The other is that I can't easily unlock the bootloader and reflash my phone which for 99% of people is not a problem anyway.</p>
<h2>Conclusion</h2>
<p>After I'd had my phone for about 2 and a half months my Wife's phone (Sony Xperia Z5) started showing dead pixels and we decided it needed replacing. I was so happy with my Nokia 6.1 and my wife had used it a fair bit and liked it too so we decided to get a second one for her.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:guaranteed">
<p>Actually I think that there should be a law that phone manufacturers must support the devices they sell until a given date, see my rant on <a href="https://xo.tc/expiry-dates-on-smart-phones-and-other-iot-devices.html">Expiry dates on smart phones and other IoT devices</a>. <a class="footnote-backref" href="#fnref:guaranteed" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:metadata">
<p>I know this includes things like the GPS coordinates where the photo was taken, I'm fine with that. <a class="footnote-backref" href="#fnref:metadata" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Live chat support on websites2018-08-16T08:00:00+08:002018-08-16T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-08-16:/live-chat-support-on-websites.html<p>I'll just come out and say it, I like those live chat support things on websites.</p>
<p><img alt="Image Name" src="https://xo.tc/images/live-chat-button.png"></p>
<p>I feel like I should dislike them because they are usually clunky and often show as a popup at an inconvenient time rather than just an option on the contact us page. There are …</p><p>I'll just come out and say it, I like those live chat support things on websites.</p>
<p><img alt="Image Name" src="https://xo.tc/images/live-chat-button.png"></p>
<p>I feel like I should dislike them because they are usually clunky and often show as a popup at an inconvenient time rather than just an option on the contact us page. There are <a href="https://www.cyberscoop.com/ticketmaster-inbenta-technologies-chat-app-accused-breach/">stories</a> about websites getting compromised because the 3rd party JavaScript they added to get the chat tool has been compromised.</p>
<p>But despite all their failings, I still like them. I think it's because when I need support on a website I don't want to send an email because I want support <em>now</em> I don't want to wait hours for each response.</p>
<p>I also don't like to pick up the phone and call. Maybe I'm unique in that but;</p>
<ul>
<li>Calls are ephemeral and I like to have a record of what was said.</li>
<li>I can't multi-task well while I'm on the phone. I can open a chat window then go to another tab and periodically check to see if I've got a reply (or wait for it to make a noise or whatever). If I got a reply 45 seconds ago, the support person is not going to mind that it took a minute for my reply. But when I'm on hold on the phone I feel like I need to be constantly attentive because if the support person says "Thanks for holding" and I don't reply for 45 seconds they might just hang up.</li>
<li>There are no issues with accent, often people have issues understanding my Australian accent and I have issues understanding their accent. I've learned the phonetic alphabet and that helps but it's still a struggle sometimes.</li>
<li>I can think about my reply and re-read what they said. This is kind of a mix of the two points above but I feel it's still distinct. If someone says "Do you have xyz reference number" I can spend a minute to look for it (probably copy and paste it from wherever it is) and send it back without all that "Ummm... yes, I've got it here somewhere just let me rummage through my papers... ahh... here it is just let me read it out for you"</li>
<li>I can use Google Translate. I've needed to contact an airline about a ticket and their support only spoke Spanish, it needed a bit of back and forth so chat worked better than email and I could just copy paste each of the messages into Google Translate. It wasn't perfect but it was pretty good and it got the job done.</li>
</ul>
<p>Maybe I also like them because of the fact that as a teenager I spent several hours every night hanging out with my friends on MSN Messenger / IRC / Yahoo Chat / etc... so I'm just more comfortable with online chat.</p>How many android patterns are there?2018-08-09T08:00:00+08:002018-08-09T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-08-09:/how-many-android-patterns-are-there.html<p>This is a post I've had kicking around in my drafts folder for just over 2 years now so I've decided to publish it as a partly complete problem.</p>
<p>One of my favorite pastimes, when I'm bored, is solving the puzzles on <a href="https://projecteuler.net/">Project Euler</a><sup id="fnref:project-euler"><a class="footnote-ref" href="#fn:project-euler">1</a></sup>. I'm not very far through …</p><p>This is a post I've had kicking around in my drafts folder for just over 2 years now so I've decided to publish it as a partly complete problem.</p>
<p>One of my favorite pastimes, when I'm bored, is solving the puzzles on <a href="https://projecteuler.net/">Project Euler</a><sup id="fnref:project-euler"><a class="footnote-ref" href="#fn:project-euler">1</a></sup>. I'm not very far through but I've solved 56 at the time of this writing. It's as much about writing the code and learning the language, in my case Python, as it is about actually solving the problems.</p>
<p>The questions are good because they look like there must be a simple way to calculate the answer but it's not immediately obvious<sup id="fnref:immediately-obvious"><a class="footnote-ref" href="#fn:immediately-obvious">2</a></sup>. An interesting question that I think is worthy of Project Euler is:</p>
<blockquote>
<p>How many possible Android lock screen patterns are there? And how would you calculate it for arbitrarily sized grids?</p>
</blockquote>
<p>Let's examine the standard size first, initially if we are just working with a 3 x 3 grid it might help to think of the positions as numbers from 1 to 9.</p>
<p><img alt="Android 3 x 3 grid" src="https://xo.tc/images/android-pattern-3-3-grid.png"></p>
<p>Initially, we might (incorrectly) think, there are 9 possible starting positions, then 8 remaining moves, then 7 and so on. So it would be 9!</p>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="kn">import</span> <span class="nn">math</span>
<span class="o">>>></span> <span class="n">math</span><span class="o">.</span><span class="n">factorial</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span>
<span class="mi">362880</span>
</code></pre></div>
<p>But then we can't use a pattern of fewer than 3 positions so if we remove all there digit options</p>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="n">math</span><span class="o">.</span><span class="n">factorial</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span> <span class="o">-</span> <span class="p">(</span><span class="mi">9</span> <span class="o">*</span> <span class="mi">8</span> <span class="o">*</span> <span class="mi">7</span><span class="p">)</span>
<span class="mi">362376</span>
</code></pre></div>
<p>However this is not right for a few reasons, first 9! (362880) is only the number of combinations of length 9 so to get all the possible combinations</p>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="kn">import</span> <span class="nn">itertools</span>
<span class="o">>>></span> <span class="n">positions</span> <span class="o">=</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">9</span><span class="p">]</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">itertools</span><span class="o">.</span><span class="n">permutations</span><span class="p">(</span><span class="n">positions</span><span class="p">,</span> <span class="mi">9</span><span class="p">)))</span> <span class="c1"># 362880</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">itertools</span><span class="o">.</span><span class="n">permutations</span><span class="p">(</span><span class="n">positions</span><span class="p">,</span> <span class="mi">8</span><span class="p">)))</span> <span class="c1"># 362880</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">itertools</span><span class="o">.</span><span class="n">permutations</span><span class="p">(</span><span class="n">positions</span><span class="p">,</span> <span class="mi">7</span><span class="p">)))</span> <span class="c1"># 181440</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">itertools</span><span class="o">.</span><span class="n">permutations</span><span class="p">(</span><span class="n">positions</span><span class="p">,</span> <span class="mi">6</span><span class="p">)))</span> <span class="c1"># 60480</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">itertools</span><span class="o">.</span><span class="n">permutations</span><span class="p">(</span><span class="n">positions</span><span class="p">,</span> <span class="mi">5</span><span class="p">)))</span> <span class="c1"># 15120</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">itertools</span><span class="o">.</span><span class="n">permutations</span><span class="p">(</span><span class="n">positions</span><span class="p">,</span> <span class="mi">4</span><span class="p">)))</span> <span class="c1"># 3024</span>
<span class="c1"># Total 985824</span>
</code></pre></div>
<p>Second now we know how many combinations there are, we see that not all combinations are valid, for example while we can have 1234.</p>
<p><img alt="Android pattern 1-2-3-4" src="https://xo.tc/images/android-pattern-1-2-3-4.png"></p>
<p>We can't have 1324 because there is no way to get from 1 to 3 without going through 2, even if you try to avoid it the line snaps to any positions it passes through.</p>
<p><img alt="Android pattern 1-3" src="https://xo.tc/images/android-pattern-1-3.gif"></p>
<p>I found a few incorrect solutions online which simply had a list of invalid moves such as from 1 to 3, from 7 to 9 and so on, but this is not correct either. We can't simply say that moving from 1 to 3 is always invalid because once a position has been used we can jump over it so we can have 2413 as a valid pattern which does go from 1 to 3.</p>
<p><img alt="Android Pattern 2-4-1-3" src="https://xo.tc/images/android-pattern-2-4-1-3.png"></p>
<p>This might be obvious, but just to clearly state it; While you can't jump over an unchecked position, you don't need to move to an adjacent position, for example, knights moves are valid, so we can have 1834</p>
<p><img alt="Android Pattern 1-8-3-4" src="https://xo.tc/images/android-pattern-1-8-3-4.png"></p>
<p>But just when we think we are getting a handle on things, LineageOS (previously CyanogenMod) throws a spanner in the works by allowing grids up to 6 x 6. For a larger grid, I think it's easier to switch to a coordinate system instead of numbered positions.</p>
<p><img alt="Android 6 x 6 grid" src="https://xo.tc/images/android-pattern-6-6-grid.png"></p>
<p>This brings in a whole new range of moves, for example <code>[(0,3), (5,0), (2,5), (2,4), (2,3), (2,2), (2,1), (2,0), (5,5), (0,2)]</code></p>
<p><img alt="Android Pattern 03 50 25 24 23 22 21 20 55 02" src="https://xo.tc/images/android-pattern-03-50-25-24-23-22-21-20-55-02.png"></p>
<p>and it brings some new invalid moves, we can't go from <code>[(0,0), (4,2)]</code> without passing through <code>(2,1)</code></p>
<p><img alt="Android Pattern 00 21 42" src="https://xo.tc/images/android-pattern-00-21-42.png"></p>
<p>After banging my head on a wall for a while, I searched online for a solution and the <a href="https://www.quora.com/Android-operating-system-How-many-combinations-does-Android-9-point-unlock-have">best answer</a> I found was a 3 x 3 grid has <strong>389112</strong> possible patterns.</p>
<p>That's great, but every single correct solution I could find involved a brute force approach. Trying every possible combination and then discarding the invalid ones.</p>
<p>When it's just a simple 3 x 3 grid with only 985824 combinations to check brute force is not a bad way to go.</p>
<p>With a 4 x 4 grid (16 positions, over 4,000,000,000,000 combinations to check) brute force becomes incredibly hard but still within the realms of modern computers. By the time we get to 6 x 6 grids (36 positions, more than 2^128 combinations to check) it's downright impossible on current hardware.</p>
<p>There are some things we can do to speed things up though, for example the last two lengths (e.g. on the 3 x 3 grid that combinations of length 8 and 9) will always have the same number of possible combinations because every combination of 8 positions has exactly one corresponding combination of 9 positions.</p>
<p>So the problem that I haven't been able to crack is, can we design an <em>efficient</em> algorithm that can calculate the number of possible moves on an arbitrarily sized grid? not just square grids, what about 3 x 9 for example.</p>
<hr>
<p>All pictures generated with <a href="http://fossil.shick.xyz/lockpatterngenerator/index">Lock Pattern Generator</a></p>
<hr>
<p>If you are a maths genius and you have a solution please get in touch. I'd love to know and I'll update this post with a link to your solution, michael at hybr dot id dot au</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:project-euler">
<p>I know what you must be thinking, and you're right! I <em>am</em> great fun to sit next to at parties... Only I don't go out that much because who would want to be out with friends when you could be at home quietly solving maths problems!? All jokes aside I do enjoy Project Euler, it's like people who do sudoku or crossword to relax. <a class="footnote-backref" href="#fnref:project-euler" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:immediately-obvious">
<p>Or at least it's not immediately obvious to me. <a class="footnote-backref" href="#fnref:immediately-obvious" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>The value of instant feedback2018-08-02T08:00:00+08:002018-08-02T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-08-02:/the-value-of-instant-feedback.html<p>I am a huge believer in the value of instant feedback within security. It's important to pick at what point you give feedback because you don't want to risk spamming users. It's been <a href="https://www.schneier.com/blog/archives/2018/06/the_habituation.html">shown</a> several times that if you show users warnings and they are regularly false alarms that people …</p><p>I am a huge believer in the value of instant feedback within security. It's important to pick at what point you give feedback because you don't want to risk spamming users. It's been <a href="https://www.schneier.com/blog/archives/2018/06/the_habituation.html">shown</a> several times that if you show users warnings and they are regularly false alarms that people will tune out and ignore warnings.</p>
<p>But given at the right time, and not too often, giving instant feedback to users on what they are doing can provide great security controls.</p>
<p>Two examples of this are; user logins and important transactions.</p>
<p>If you have ever used Duo Push or Google's "Google Sign-In for Android" whenever you try to log in you will get a message on your phone saying, "Is it you trying to sign in?" this more than just 2 Factor authentication. You can get 2 Factor from any TOTP app like Google Authenticator, but this also lets you know if someone has tried to log into your account.</p>
<p>At work, all Administrators had two separate Active Directory logins, one administrative account, and a regular account. Most of the work could be done with just the regular account but if you ever logged in to a server with a domain admin account you would receive an email instantly. It didn't provide 2 Factor, but it gave feedback so if an account was compromised we would know about it.</p>
<p>Another great example was I have a Citibank credit card, and with the Citibank app, I can get push notifications every time there is a transaction. I think it's a great feature, sure someone could still use my card fraudulently once but I'd get a notification and contact the bank straight away rather than waiting until I check my statement.</p>
<p>Like I said at the top of the post, it's important not to spam people, but done right push notifications are a great security tool.</p>Don't put jokes in warnings2018-07-26T08:00:00+08:002018-07-26T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-07-26:/dont-put-jokes-in-warnings.html<p>There is a vlog series I quite enjoy <a href="https://www.youtube.com/channel/UCRUULstZRWS1lDvJBzHnkXA">Matt and Tom's park bench</a> and one thing they have discussed a couple of times is that the London underground has a number of signs that are used for important information and warnings like "The Piccadilly line is not running today".</p>
<p>But …</p><p>There is a vlog series I quite enjoy <a href="https://www.youtube.com/channel/UCRUULstZRWS1lDvJBzHnkXA">Matt and Tom's park bench</a> and one thing they have discussed a couple of times is that the London underground has a number of signs that are used for important information and warnings like "The Piccadilly line is not running today".</p>
<p>But sometimes, particularity around holidays like Easter, Christmas, and New Years they put up jokes on the signs like "We wanted to make a joke about Easter but couldn't think of one that was very bunny."</p>
<p>For someone who is fluent in English that might just be mildly annoying because you look up, see there is a notice on the LCD screen, worry that your train has been delayed, wait for it to scroll across before realising it's just a lame pun and then move on. For someone who is not fluent in English, it just adds to an already stressful situation.</p>
<p>The same should apply to <abbr title="User Interface">UI</abbr> design and security systems. I love a bit of humor in life, and some projects get this right. Python, for example, has a great mix of humor and in-jokes in their documentation to stop it from being too dry. But they don't put jokes into the important parts of the documentation or in error messages because the last thing some poor newbie who is debugging wants to read is some witty jokes that don't help them fix the problem.</p>
<p>It really shouldn't have to be said but:</p>
<blockquote>
<p>When designing a system, don't put jokes in warnings or in functional bits of documentation.</p>
</blockquote>Two new iPhone security features2018-07-19T08:00:00+08:002018-07-19T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-07-19:/two-new-iphone-security-features.html<p>I am at heart a bit of an open source hippy who sees the world through rose coloured glasses. I want to believe that Android<sup id="fnref:Android"><a class="footnote-ref" href="#fn:Android">1</a></sup> is the best mobile operating system because it is at it's core open source and it gives users the freedom to run their own …</p><p>I am at heart a bit of an open source hippy who sees the world through rose coloured glasses. I want to believe that Android<sup id="fnref:Android"><a class="footnote-ref" href="#fn:Android">1</a></sup> is the best mobile operating system because it is at it's core open source and it gives users the freedom to run their own code and inspect the code running on their device without needing to pay licensing agreements or sign NDAs. Unlike the walled garden that Apple has built.</p>
<p>However, if pushed I'd begrudgingly admit that if security is your priority Apple and the iPhone have the edge.</p>
<p>Apple has released two new security features for their latest version of iOS and I think they are really interesting to look at from the point of view of threat modeling because they cater to almost polar opposites of the threat landscape.</p>
<p>The two features are <em>USB Restricted mode</em> and <em>"tools for generating strong passwords, storing them in the iCloud keychain, and automatically entering them into Safari and iOS apps across all of a user's devices."</em> these two features nicely demonstrate what <a href="https://www.schneier.com/blog/archives/2012/01/going_dark_vs_a.html">Bruce Schneier</a> called
"Going Dark" vs. a "Golden Age of Surveillance"</p>
<p>With USB restricted mode, if someone has an iPhone and they are picked up by police, the police can no longer access their phone to look for incriminating material<sup id="fnref:incriminating-material"><a class="footnote-ref" href="#fn:incriminating-material">2</a></sup>. This is a great step forward and has privacy advocates cheering, but it's not something that most people have to worry about.</p>
<p>While with the password generation an storage, this is something that will result in a greatly increased security for a huge number of people. People generally are bad at picking passwords, bad at storing passwords and absolutely terrible at not repeating the same password across numerous systems. Letting your iPhone generate a password for you and syncing that across all your Apple devices is going to be a hell of a lot better than what most people are currently doing. It's not only going to be more secure but it's going to be easier and people will always take the easy option, it's like LastPass but built into the operating system.</p>
<p>If I had to give anyone the job of securing all that data I'd say companies like Apple and Google are about as good as you can get. <em>But</em> if Apple are syncing the passwords across devices then they <em>must</em> be storing the passwords in such a way that it's possible to recover the cleartext. That just opens up a whole can of worms, even Apple's best developers are still human, and humans make mistakes or can be bribed or threatened. There was a story no that long ago where some celebrity had their iCloud account password guessed and compromising photos leaked online, and that was a result of Apple forgetting to rate limit one of their services, so these things do happen.</p>
<p>So <strong>TLDR</strong></p>
<ul>
<li>
<p><strong>USB Restricted mode</strong> Good for the ~1% of people who are political activist or being surveilled by intelligence agencies? yes. Good for the ~99% of people who just want to keep their Facebook account safe? it can't hurt I guess.</p>
</li>
<li>
<p><strong>Password generation and cloud storage</strong>: Good for the ~1% of people who are political activist or being surveilled by intelligence agencies? maybe, it depends. Good for the ~99% of people who just want to keep their Facebook account safe? Yes.</p>
</li>
</ul>
<div class="footnote">
<hr>
<ol>
<li id="fn:Android">
<p>Actually, I still want to believe that in the future Maemo 5 from my old Nokia N900 or KDE Plasma Mobile will dominate the mobile market, but I'm at least somewhat in touch with reality, so Android it is. <a class="footnote-backref" href="#fnref:Android" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:incriminating-material">
<p>I feel like I'm flogging a dead horse here and I shouldn't need to say this but, just because something is incriminating or illegal doesn't mean it's immoral. There are still countries where it's illegal to be homosexual, a man could have pictures of him and his boyfriend kissing. Illegal yes, immoral no. <a class="footnote-backref" href="#fnref:incriminating-material" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Creating Guest WiFi passwords2018-07-12T08:00:00+08:002018-07-12T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-07-12:/creating-guest-wifi-passwords.html<p>This is a <a href="https://rachelbythebay.com/w/2018/02/25/food/">half-baked idea</a> that's been knocking around in my mind for a couple of years now, I've never implemented it and maybe it's more of a solution in search of a problem, but I digress.</p>
<p>I've seen several places where they have guest WiFi and they have had …</p><p>This is a <a href="https://rachelbythebay.com/w/2018/02/25/food/">half-baked idea</a> that's been knocking around in my mind for a couple of years now, I've never implemented it and maybe it's more of a solution in search of a problem, but I digress.</p>
<p>I've seen several places where they have guest WiFi and they have had all sorts of strange solutions for making sure their guest WiFi is only used by guests and not all and sundry. Often this boils down to some horrible man-in-the-middle proxy that asks you for some sort of detail like your hotel reservation code or your flight number or some number printed on your coffee receipt.</p>
<p>So I thought about using a <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm">Time-based One-time Password</a> to generate a new code every day. The same way that the codes in Google Authenticator (or you 2FA app of choice) but instead of a 6 digit code numeric with a period of 30 seconds use a 12 digit base64 code and a period of 24 hours.</p>
<p>Then use some sort of network management software (or python and requests cludged together) to set the code as the PSK for your Guest WiFi. And put that code up on an LCD screen or somewhere your customers can see it but not public.</p>
<p>I did say this idea was half-baked, didn't I? To be honest the idea just interests me more because I think it would be an interesting application of ToTP codes to generate new random passwords every day rather than because I can think of any situations where it would actually be practical and useful.</p>Why I've gone off bitcoin a bit2018-07-05T08:00:00+08:002018-07-05T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-07-05:/why-ive-gone-off-bitcoin-a-bit.html<p>I first heard about Bitcoin at a Perth Linux Users Group talk in 2012 at a <a href="https://plug.org.au">Perth Linux Users Group</a> talk, where I thought it was a great idea but didn't think it would really take off so I didn't really pursue it.</p>
<p>But it kept coming up again an …</p><p>I first heard about Bitcoin at a Perth Linux Users Group talk in 2012 at a <a href="https://plug.org.au">Perth Linux Users Group</a> talk, where I thought it was a great idea but didn't think it would really take off so I didn't really pursue it.</p>
<p>But it kept coming up again an again so finally I took a more serious interest. I still think it's a great idea but lately, I've gone a little off bitcoin for 3 reasons:</p>
<ul>
<li>Power Consumption</li>
<li>Over-valuation</li>
<li>Over-Hyped block-chain technology</li>
</ul>
<p><strong>Power Consumption</strong>
Power Consumption is an interesting one, I was listening to a Risky Business podcast about a year or two ago (I can't find the episode) and they discussed how much power was being used to run all the GPUs / ASICs that are mining bitcoin. They linked to an article which said bitcoin minding was using some ridiculous amount of power like <a href="https://youtu.be/I5cYgRnfFDA?t=12s">1.21 Gigawatts</a> their comments were (paraphrasing) "I think the numbers are a bit rubbery but the general idea is right."</p>
<p>To mine bitcoin, you need compute power, and for that you need electricity, and for that people are burning fossil fuels.</p>
<p><strong>Over-valuation</strong>
There was a Last Week Tonight <a href="https://www.youtube.com/watch?v=g6iDZspbRMg">episode</a> where John Oliver called cryptocurrencies a giant ponzi scheme. I'd love to get angry and defensive about that, but unfortunately, for the most part, he is right.</p>
<p>Most buyers of bitcoin are buying it as an investment, and that's really not the point of a currency. Sure, some people trade in currency for a living, but for most people, you would only by Vietnamese Dong if you were going to go to Vietnam and expected to buy something with the currency.</p>
<p>With bitcoin, people buy it to hold on to it because the price is going up, but the price is only going up because people are buying it as an investment. I'm not sure if the bubble will burst or what will happen in the future, but right now most bitcoin is not being used to facilitate trade.<sup id="fnref:facilitate-trade"><a class="footnote-ref" href="#fn:facilitate-trade">1</a></sup></p>
<p>I'd love for this to change, but I don't know if it will</p>
<p><strong>Over-Hyped block-chain technology</strong>
I feel like people will invest in anything that got the word block-chain in it right now, Extra Credits even did an episode "<a href="https://www.youtube.com/watch?v=ywvTIM_eOVI">Can Blockchain Technology be a Game Mechanic?</a>" and they talked about how they could use the blockchain to track a weapon throughout the game. They say:</p>
<blockquote>
<p>"Okay, picture this: You start a game using a simple iron sword, you progress and level, and eventually use it to slay a boss named "Grillmig The Orc". Suddenly your simple iron sword becomes "Grillmig's bane", and with the name changed, it gains some extra stats.</p>
<p>Eventually, like all gear, you'll outgrow it and decide to sell it. Some upcoming player buys it and as they level they farm a ton of ghouls. And now it becomes: "Ghoul Slayer, the bane of Grill Mig". It gains more stats, but eventually this player too out grows it.</p>
<p>The weapon passes from player to player each time accruing new heroic associated with it, or unlocking achievements that no single player could ever do alone. Eventually, it becomes one of the most coveted swords in the game because its unique.</p>
<p>And any player who examines it can see the name of all the players who ever wielded it and what deeds they did. And if the designers were really clever, the sword would also benefit from having been used by characters that later did heroic deeds.</p>
<p>So when your character slays that final raid boss god dragon of nightmares, all of the sudden your first training sword no matter who currently has it, levels up and becomes the heirloom of the Great <insert your character name here>. </p>
<p>That's Awesome, and it's something that blockchain lets us easily do. "</p>
</blockquote>
<p>Now, first of all, that's an amazing game mechanic and a really cool idea, but one of the top comments said:</p>
<blockquote>
<p>Why does Blockchain make those MMO weapon concepts easier than any other methods? Would that not work with a standard database on a server?</p>
</blockquote>
<p>And that was my thoughts exactly. A blockchain solves the problem where you have a distributed system the users don't trust one another but want to build trust into their system. But the key word there is <strong>distributed</strong> if you already have a central authority that everyone trusts then a blockchain simply becomes a lot of work for no gain. If you trust the game company running the servers to keep an accurate history of the scores you don't need a distributed blockchain.</p>
<p>And in fact, if you have a central authority it solves one of the "problems" with a blockchain which is that you can undo a transaction if it's malicious or accidental. What if in the example above someone found an exploit in the game and managed to kill all the bosses in the game at once, now their weapon has that stat and if you had a distributed ledger, you can't undo.</p>
<p>People are human, they make mistakes, having an undo button is a great thing.</p>
<p>Another way I've seen blockchain over-hyped and used in the wrong way was some article<sup id="fnref:banks-and-blockchain"><a class="footnote-ref" href="#fn:banks-and-blockchain">2</a></sup> about a bank that was going to start using it for tracking their transactions. It was still at the R&D stage and probably just a puff piece with no substance. But the idea was it would be used by one bank, by them self, internally, tracking transactions but if it's just one bank why bother?</p>
<p>They can always go back and edit their internal blockchain to change some historical transaction and then just recalculate all the future transactions again after that. Who is going to stop them? Sure it might take some extra compute power to catch back up but they can do it. If their blockchain was running on 3 servers before just get an extra 300 servers onto it until you catch up again.</p>
<p>There are existing cryptographic tools that would do a better job with significantly less overhead in that situation, like <a href="https://xo.tc/time-stamp-with-openssl-an-curl.html">time stamps</a>. Make a file with all your transactions, calculate a SHA256 sum of the file and get it timestamped by an external trusted authority. It would give you a ledger that's much harder to alter.</p>
<p>The blockchain was a genius idea. It solves a very specific problem, but it's often being applied in situations where it's not appropriate. It makes me think of a kid who uses a VPN to log into Facebook and then make a derogatory comment about a teacher and later says "But I thought a VPN would make me anonymous"</p>
<p>All that's not to say that I don't like bitcoin, I do like it, I just think it's worth looking at the bad as well as the good.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:facilitate-trade">
<p>There are obviously some counterexamples to this, one of my friends has some bitcoin that he is using pay for things like a <abbr title="Virtual Private Server">VPS</abbr> directly with bitcoin. <a class="footnote-backref" href="#fnref:facilitate-trade" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:banks-and-blockchain">
<p>I can't remember the exact article I was reading but just Google "Bank blockchain" and you will find hundreds of similar ones. <a class="footnote-backref" href="#fnref:banks-and-blockchain" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>The best long haul flight tip I've got, bring an empty bottle2018-06-28T08:00:00+08:002018-06-28T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-06-28:/the-best-long-haul-flight-tip-ive-got-bring-an-empty-bottle.html<p>An IT Security focused blog is not really the right place to give out travel tips, but it's my blog so here we go.</p>
<p>I've received lots of great travel tips over the years but one of the best ones was for any flight you go on, especially long haul …</p><p>An IT Security focused blog is not really the right place to give out travel tips, but it's my blog so here we go.</p>
<p>I've received lots of great travel tips over the years but one of the best ones was for any flight you go on, especially long haul flights was:</p>
<blockquote>
<p>You can bring an empty bottle with you through customs and then fill it up and drink plenty of water on the flight.</p>
</blockquote>
<p>There are many bad things about long flight, but I feel like most of these things are exasperated by being dehydrated. Airlines give out small amount of water in tiny cups infrequently. Also I think<sup id="fnref:think"><a class="footnote-ref" href="#fn:think">1</a></sup> that the air-conditioning in planes is set to a very low humidity which drys my skin.</p>
<p>Even through you can't bring more than 100ml of liquids through customs you can bring an empty water bottle and most airports will have water fountains (usually located near the toilets) that you can use to refill your bottle.</p>
<p><img alt="Filling up my water bottle" src="https://xo.tc/images/water-bottle.png">
<em>Filling up my trusty water bottle at Leonardo da Vinci–Fiumicino Airport, Rome, Italy</em></p>
<p>I know that should be obvious that you can bring an empty bottles through but I've seen a lot of people throw out bottles at customs rather than just emptying them. Alternatively you could just buy a bottle of water after passing through customs but if your travelling a lot that's a lot of wasted bottles and do you really want to pay $5 for a small bottle of water?</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:think">
<p>I know nothing about the air-conditioning settings of planes, or it's effect on skin, it's purely anecdotal, and could be completely wrong. <a class="footnote-backref" href="#fnref:think" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Are loot boxes gambling?2018-06-21T08:00:00+08:002018-06-21T08:00:00+08:00Michael Van Delfttag:xo.tc,2018-06-21:/are-loot-boxes-gambling.html<p>First of all, always read the disclaimer<sup id="fnref:disclaimer"><a class="footnote-ref" href="#fn:disclaimer">1</a></sup>. I was watching an episode of <a href="https://www.youtube.com/watch?v=-Uha5c7hJdA">Extra Credits</a> a while ago and they were addressing loot boxes in games. At <a href="https://youtu.be/-Uha5c7hJdA?t=4m42s">4:22</a> in the video the question of whether loot boxes are gambling comes up, they say that more research is required …</p><p>First of all, always read the disclaimer<sup id="fnref:disclaimer"><a class="footnote-ref" href="#fn:disclaimer">1</a></sup>. I was watching an episode of <a href="https://www.youtube.com/watch?v=-Uha5c7hJdA">Extra Credits</a> a while ago and they were addressing loot boxes in games. At <a href="https://youtu.be/-Uha5c7hJdA?t=4m42s">4:22</a> in the video the question of whether loot boxes are gambling comes up, they say that more research is required but that the only study they could find found that</p>
<blockquote>
<p>Both legally and psychologically, there's an important distinction between gambling and non gambling and that is the ability to cash out. Because you can't take your rare Overwatch skin and sell it back to Blizzard for actual spending money, the experience affects us differently. Video game loot boxes are less like craps and roulette and are more akin to a crane game, or a blind box, or the raffle for prizes at the county fair.</p>
</blockquote>
<p>And I take issue with that<sup id="fnref:issue"><a class="footnote-ref" href="#fn:issue">2</a></sup>, because I think that the way we define currency needs to change. The Oxford English Dictionary <a href="https://en.oxforddictionaries.com/definition/currency">defines</a> currency as:</p>
<blockquote>
<p>A system of money in general use in a particular country.</p>
</blockquote>
<p>But I think a better definition would be something along the lines of</p>
<blockquote>
<p>Anything that is used to facilitation trade</p>
</blockquote>
<p>In fact Extra credits did a brilliant series on <a href="https://www.youtube.com/watch?v=-nZkP2b-4vo">The History of Paper Money</a> where they discus things like large rocks that were used as currency.</p>
<p>All sorts of things have been used as currencies, there are stories of cigarettes being used as currency after World War II, even by people who don't smoke. Consider bitcoin, I would argue that bitcoin and other cryptocurrencies are currencies.</p>
<p>If you search online you will find plenty of stories of the gold in World of Warcraft (WoW gold) being worth more than some or other countries currency<sup id="fnref:wow-gold"><a class="footnote-ref" href="#fn:wow-gold">3</a></sup>, and people who make full time jobs farming WoW gold and then selling online to change it back to their local currency.</p>
<p>You could argue that WoW gold is not a "real" currency because you can only buy things in Wold of Warcraft with it, and to buy things outside you need to convert it into another currency, but I would say that is true to some degrees of all currencies.</p>
<p>Even if you take what I assume<sup id="fnref:assume"><a class="footnote-ref" href="#fn:assume">4</a></sup> to be the most widely recognised and accepted currency, the US Dollar, you still can't use it to buy anything anywhere without converting it first. If you walk into McDonald's, the most American store I can think of, in Australia and try to buy a Big Mac with US Dollars you will be politely asked to go away and come back with real money. There is no currency that is universally accepted everywhere without the need to exchange it into another currency.</p>
<p>So, I believe that currencies in games, in particular games which allow players to trade with each other and therefore create an easy market for people to sell their in game items are "real" currencies. And by extension I believe extension loot boxes <em>are</em> gambling because you <em>can</em> cash out.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:disclaimer">
<p>I am so not qualified to talk about this, I'm not a psychologist, I'm not a finance expert, I'm not even a game designer. Information Technology is my area of expertise, and specifically IT Security. However, this is the internet, I have opinions and a blog so here we are. <a class="footnote-backref" href="#fnref:disclaimer" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:issue">
<p>To be clear here, I don't take issue with Extra Credits for citing that study, they are pretty up front about the fact that it's an area that needs much more in depth research and at least they tried to use a scientific study rather than just going on gut feel. <a class="footnote-backref" href="#fnref:issue" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:wow-gold">
<p>For example from a quick Google search I found that 1 USD buys 6,300 WoW Gold, and currently 1 USD gets 22,700 Vietnamese Dong (VND). You would be hard pressed to find anything 1 VND, in fact a cheap Bánh Mì is about 10,000 VND. So I guess you could say a Bánh Mì in Vietnam costs about 3,000 WoW gold. <a class="footnote-backref" href="#fnref:wow-gold" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:assume">
<p>This is completely anecdotal. <a class="footnote-backref" href="#fnref:assume" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>Where in the world is Michael Van Delft?2017-12-28T07:00:00+08:002017-12-28T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-12-28:/where-in-the-world-is-michael-van-delft.html<p>In August 2015, I set myself the goal of publishing one post per week on this site for at least a year. I've managed that goal, this will be my 124th post and so far I've had great fun writing.</p>
<p>By the time this post gets published I will have …</p><p>In August 2015, I set myself the goal of publishing one post per week on this site for at least a year. I've managed that goal, this will be my 124th post and so far I've had great fun writing.</p>
<p>By the time this post gets published I will have been married to my beautiful fiancée and have left Perth for our honeymoon an almost 12-month long trip backpacking around the world.</p>
<p>I have no idea if I will continue to update this blog, or just leave it. Although I suspect that if I do continue with it, my posts will not be as regular.</p>
<p>Here's to a good life.</p>
<p><img alt="A good life" src="https://xo.tc/images/a-good-life.png"></p>Simple Windows SMTP relay2017-12-21T07:00:00+08:002017-12-21T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-12-21:/simple-windows-smtp-relay.html<p>In a recent post I mentioned that I had survived an Office 365 migration with only minimal scarring. We run HPE Content Manager which is "Enterprise Software". Just like the large government agencies that Content Manager is designed for it's big, slow, resistant to change, expensive, bureaucratic but yet incredibly …</p><p>In a recent post I mentioned that I had survived an Office 365 migration with only minimal scarring. We run HPE Content Manager which is "Enterprise Software". Just like the large government agencies that Content Manager is designed for it's big, slow, resistant to change, expensive, bureaucratic but yet incredibly despite all it's failings, it's occasionally capable of achieving great things like landing on the moon.</p>
<p>Anyway HPE Content Manager hasn't gotten around to implementing TLS before authentication for it's mail processing yet so it can't talk to office 365. So I was looking for a way to setup a mail relay but didn't want to setup a whole new VM just to relay mail.</p>
<p>I was surprised to find that Windows offers a mail relay built in to IIS.</p>
<h2>Installing</h2>
<p>Go to server manager and select Manage > Add Roles and Features</p>
<p><img alt="Manager" src="https://xo.tc/images/smtp-relay-01-add-roles.png"></p>
<p>Skip past the before you begin page</p>
<p><img alt="Before you begin" src="https://xo.tc/images/smtp-relay-02-before-you-begin.png"></p>
<p>Pick "Role-based or Feature-based installation"</p>
<p><img alt="Installation Type" src="https://xo.tc/images/smtp-relay-03-installation-type.png"></p>
<p>Select the local server</p>
<p><img alt="Server Selection" src="https://xo.tc/images/smtp-relay-04-server-selection.png"></p>
<p>Add the "SMTP Server"</p>
<p><img alt="Add Features" src="https://xo.tc/images/smtp-relay-05-features.png"></p>
<p>This will also install IIS 6.0</p>
<p><img alt="Add Features" src="https://xo.tc/images/smtp-relay-06-add-features.png"></p>
<p>Confirm the setting and install</p>
<p><img alt="Confirm settings" src="https://xo.tc/images/smtp-relay-07-confirmation.png"></p>
<p><img alt="Confirm settings" src="https://xo.tc/images/smtp-relay-08-results.png"></p>
<h2>Settings</h2>
<p>Once the SMTP Server is installed open IIS 6.0. If you have a website on your server (such as HPE Content Manager Web Client) you will see two versions of IIS.</p>
<p><img alt="IIS 6" src="https://xo.tc/images/smtp-relay-09-IIS-6.png"></p>
<p>Right click on the SMTP Virtual Server and go to Properties</p>
<p><img alt="SMTP Virtual Server" src="https://xo.tc/images/smtp-relay-10-virtual-server.png"></p>
<p>Under the Access tab select Authentication.</p>
<p><img alt="SMTP Virtual Server - Access Tab" src="https://xo.tc/images/smtp-relay-11-access-tab.png"></p>
<p>On the Authentication window, check that Anonymous access is available</p>
<p><img alt="SMTP Virtual Server - Authentication" src="https://xo.tc/images/smtp-relay-12-authentication.png"></p>
<p>Next from the Access Tab select the Connections window and ensure that only the IP address you want can connect.</p>
<p><img alt="SMTP Virtual Server - Connections" src="https://xo.tc/images/smtp-relay-13-connection.png"></p>
<p>Then from the Access Tab select the Relay window and again ensure that only the IP address you want will be allowed.</p>
<p><img alt="SMTP Virtual Server - Relay" src="https://xo.tc/images/smtp-relay-14-relay.png"></p>
<p>Then go to the delivery tab, we are going to need the three buttons across the bottom.</p>
<p><img alt="SMTP Virtual Server - Delivery Tab" src="https://xo.tc/images/smtp-relay-15-delivery-tab.png"></p>
<p>Under Outbound Security enter the user name and password and tick TLS encryption.</p>
<p><img alt="SMTP Virtual Server - Outbound Security" src="https://xo.tc/images/smtp-relay-16-outbound-security.png"></p>
<p>Under Outbound Connections change the port to 587.</p>
<p><img alt="SMTP Virtual Server - Outbound Connections" src="https://xo.tc/images/smtp-relay-17-outbound-connections.png"></p>
<p>Finally under advanced set the smart host to SMTP.office365.com</p>
<p><img alt="SMTP Virtual Server - Outbound Connections" src="https://xo.tc/images/smtp-relay-18-advanced.png"></p>
<h2>Point Mail to the relay</h2>
<p>Now you can point HPE Content Manager or whatever it is that you need to relay mail for, to your server.</p>
<p><img alt="HPE Content Manger - Mail Settings" src="https://xo.tc/images/smtp-relay-19-hpe-cm.png"></p>The importance of open standards2017-12-14T07:00:00+08:002017-12-14T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-12-14:/the-importance-of-open-standards.html<p>I recently looked through my archives and was surprised to find that I hadn't blogged about this before as it's something I get quite passionate about.</p>
<p>Many companies try to set up proprietary standards in IT in an attempt to control the market. It's a horrible practice and needs to …</p><p>I recently looked through my archives and was surprised to find that I hadn't blogged about this before as it's something I get quite passionate about.</p>
<p>Many companies try to set up proprietary standards in IT in an attempt to control the market. It's a horrible practice and needs to be stopped. Imagine if you bought a HP laptop, and then you wanted to connect a printer to it, and instead of a USB port, you needed to buy a printer with a specific HP-Connection. And that type of connector was different from a Dell connection, or Lenovo, or Toshiba, or Sony, or Acer, or ...</p>
<p>Having one standard type of connection benefits everyone. It makes life easier for the consumers and makes the IT industry as a whole develop faster.</p>
<p>A great example of this is things like Firewire vs USB. Many people would argue that Firewire was a better design but there were several <a href="https://en.wikipedia.org/wiki/IEEE_1394#Intellectual_property_considerations">patent issues</a> as well as some weird copyright issues around the name leading to some companies calling it i.LINK, Lynx, or the generic IEEE 1394. Ultimately Firewire did not take off.</p>
<p>It shocks me that even though the EU passed a law that all phones sold in Europ must have a Micro USB (or later USB-C) charger, Apple blatantly flaunts this issue and continues to sell phones with their own proprietary connector.</p>
<p>I've lost count of the number of times people have asked me if I've got a phone charger. I've got Micro USB and USB-C and that will fit any phone made in the last 8 years, except the iPhone. It's not because I don't like Apple, it's because Apple refuses to support open standards. People wouldn't be as surprised if I didn't have the charger for a Nokia N-Gage, or an Ericsson T28 they would accept that it's an unusual phone and I can't hold every type of charger.</p>
<p>The next iPhone whatever version number that might be, would be no less great a phone if it was to come with USB-C.</p>
<p>Embrace open standard, it makes life easier for everyone.</p>Hang Gliding Over Hell, 3 drives die in a 6 drive NAS2017-12-07T07:00:00+08:002017-12-07T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-12-07:/hang-gliding-over-hell-3-drives-die-in-a-6-drive-nas.html<p>A while ago I wrote about <a href="https://xo.tc/learning-from-failure.html">learning from failure</a>. This is a story of failure; Hardware failure, failure of design and failure of my self (The systems administrator) to not correct the issues earlier. It's hard to write about, but I believe that stories of failure can teach us just …</p><p>A while ago I wrote about <a href="https://xo.tc/learning-from-failure.html">learning from failure</a>. This is a story of failure; Hardware failure, failure of design and failure of my self (The systems administrator) to not correct the issues earlier. It's hard to write about, but I believe that stories of failure can teach us just as much, if not more, than stories of successes.</p>
<p>I inherited a system where a number of VMs were running on top of two Hyper-V hosts, with a single NAS hosting a .VHD file that was shared as an iSCSI target for the storage of the .VHDs that were the VM disks.</p>
<p><img alt="Hyper-V Failover Cluster" src="https://xo.tc/images/Hyper-V-Failover-Cluster.png"></p>
<p>Now, this design is not great for a number of reasons that will become apparent throughout this post, but a few that should immediately jump out is that the one NAS provides a single point of failure, and that using a .VHD file as the iSCSI target will not provide great performance, it would be better to use the disk directly.</p>
<p><img alt="RAID All ok" src="https://xo.tc/images/RAID-all-ok.png"></p>
<p>So the first failure is that I never upgraded this setup to something more robust, I had ample time and the budget was available but I took an attitude of "If it's not broken, don't fix it". That is the wrong attitude to have, sure no one was complaining about the performance and it was running ok so but I could have fixed all of these issues before they even started, and I did not.</p>
<h2>2017-03-01 03:00 Drive in Bay 1 dies</h2>
<p>I'm blissfully asleep, maybe I rolled over and scratch my ear.</p>
<p><img alt="RAID bay 1 dies" src="https://xo.tc/images/RAID-bay-1-dead.png"></p>
<h2>2017-03-01 03:00 Servers blue screen</h2>
<p>In theory, because the NAS has a RAID5 + Hot Spare, everything should keep ticking along even after one drive dies. However the server froze up for just long enough the iSCSI connection timed out and the servers could no longer read and write to their disks, so all the VMs crashed.</p>
<p>Critically this includes the Exchange server, so the email alert about a failed disk that the HP ILO should have sent goes nowhere.</p>
<h2>2017-03-01 08:30 I get to work, and reboot servers</h2>
<p>I get to work and am immediately told that nothing is working, so I remote into the Hyper-V servers and reboot all the VMs. They come back up ok and I spend a bit of time trying to work out why they failed but somehow I completely miss the fact that one of the disks in the NAS has died. I think I assumed it was related to a bad Windows Update for Hyper-V or something.</p>
<h2>2017-03-01 21:00 Servers blue screen again</h2>
<p>The servers bluescreen again, due to read/write timeout. Only this time the nightly backups fail to run as well.</p>
<h2>2017-03-02 08:30 I replace drive in bay 1</h2>
<p>I get to work and for a second day, all the servers are down. I reboot them and then I finally I see that the drive in bay 1 of the NAS is dead. We don't have a cold spare on site so I go down to the local computer shop and buy a new drive.</p>
<p>Fortunately, It's a RAID 5 with Hot Spare array so it has already rebuilt into the hot spare.</p>
<p><img alt="RAID bay 1 Replaced" src="https://xo.tc/images/RAID-bay-1-rebuilding.png"></p>
<h2>2017-03-02 09:45 Rebuilding at 12% Hot spare dies. Rebuilding starts again at 0%.</h2>
<p>I'm sitting at my desk watching the array rebuild onto the drive in Bay 1 and then suddenly... The hot spare dies. I suspect that the hot spare had actually been dodgy for a while, but because we were using RAID 5 with a Hot Spare rather than RAID 6 the disk wasn't in use and so we never got alerted that it was bad.</p>
<p><img alt="RAID bay 1 Replaced bay 6 dies" src="https://xo.tc/images/RAID-bay-1-rebuilding-bay-6-dies.png"></p>
<p>Fortunately, we still have enough data on the 4 remaining disks to rebuild the array but now instead of a straight copy from the hot spare to the new disk, it's got to actually calculate the parity bits all over again. So the rebuild is not running much slower.</p>
<p>I replace the hot spare with a new blank drive.</p>
<p><img alt="RAID bay 1 Replaced bay 6 replaced" src="https://xo.tc/images/RAID-bay-1-rebuilding-bay-6-blank.png"></p>
<h2>2017-03-02 20:00 Rebuilding at 80%. Drive in bay 3 marked "predicted failure".</h2>
<p>I spend the rest of the day not being very productive and checking the rebuild progress every 10 minutes or so. Then at about 20:00 when I log in to have a look, the drive in bay 3 is marked as predicted failure.</p>
<p>Last night's backups failed, tonight's backups have not run yet because I've disabled them while the array is rebuilding. But if Disk 3 dies before Disk 1 is online we won't have enough disks left to rebuild the array.</p>
<p><img alt="RAID bay 1 Replaced bay 6 replaced bay 3 warning" src="https://xo.tc/images/RAID-bay-1-rebuilding-bay-3-warning.png"></p>
<h2>2017-03-02 21:30 Rebuilding hits 100%</h2>
<p>The last few minutes were nail-bitingly intense. But finally, the array has rebuilt. I start the backups and go to bed, unfortunately, the backups fail again.</p>
<p><img alt="RAID bay 3 warning" src="https://xo.tc/images/RAID-bay-3-warning.png"></p>
<h2>2017-03-03 10:00 A consultant comes in</h2>
<p>Where I work I'm essentially a one-person IT team, I've got a colleague who is very technical and good to bounce ideas off, but they are not in a full time IT role. But we have an external IT consultant that we use if I need help or to cover for me while I'm away on leave, so we called the consultant in for a bit of extra support.</p>
<h2>2017-03-03 12:00 We remove the drive in bay 3. NAS crashes. We replace the drive in bay 3.</h2>
<p>After some discussion, we decide that the next step is to remove the drive in bay 3. Rather than waiting until the end of the day, or for the predicted failure, let's just pull it and get the array rebuilding onto the hot spare as soon as possible.</p>
<p>I've pulled drives out of servers with hardware RAID before and they have been fine. I'd just recently pulled drives out of this NAS before and had no issues. But as soon as I pulled the drive out from bay 3, the NAS bluescreened and wouldn't reboot despite the fact that the OS was on a separate RAID array.</p>
<p><img alt="RAID bay 3 removed" src="https://xo.tc/images/RAID-bay-3-removed.png"></p>
<p>Naturally, all the VMs bluescreened as well and people were displeased that all the systems had stopped working in the middle of the day. I replaced the faulty drive back into bay 3 and then NAS booted.</p>
<p><img alt="RAID bay 3 warning" src="https://xo.tc/images/RAID-bay-3-warning.png"></p>
<p>We decided not to touch the NAS again during working hours. </p>
<h2>2017-03-03 17:45 I start manually copying VHD files off to USB drive.</h2>
<p>At this point, it's a Friday afternoon and I don't have a successful backup since Tuesday night. Veeam is failing, so I start copying the VHD files (for the VMs) onto a USB hard drive.</p>
<h2>2017-03-04 21:00 Copying the File Server D drive is still failing. I shut down the NAS and put a new drive in bay 3.</h2>
<p>All the servers are backed up except the File Server D drive which won't copy, but I'm running out of time. So I shut down the NAS and replace the drive in bay 3 with a blank one and the server boot. I rebuild the array offline which is quicker than while it's running but still slow.</p>
<p><img alt="RAID bay 3 rebuilding" src="https://xo.tc/images/RAID-bay-3-rebuilding.png"></p>
<h2>2017-03-05 08:00 Array is rebuilt, File Server D drive is still failing</h2>
<p><img alt="RAID All ok" src="https://xo.tc/images/RAID-all-ok.png"></p>
<p>The array is back up and looking healthy. But Veeam is still failing to back up the fileserver D drive.</p>
<h2>2017-03-05 19:00 chkdsk /f File Server D overnight</h2>
<p>I had to shut all the servers down, unmount the iSCSI drive and run <code>chkdsk /f</code>, it runs over the whole night and finally finishes only to report no errors on NAS. But the Fileserver D drive backups are still failing.</p>
<h2>2017-03-06 07:00 chkdsk /R on the NAS</h2>
<p>Luckily Monday was a public holiday and I could continue to work leave the VMs shutdown and work on the NAS without causing interruptions to staff, so first thing in the morning I start <code>chkdsk /r</code>. I wrote about <a href="https://xo.tc/veeam-backup-errors-after-nas-hard-drive-failure.html">Veeam backup errors after NAS hard drive failure</a>.</p>
<h2>2017-03-06 20:00 chkdsk finishes. I boot all servers and start a backup.</h2>
<p>Finally chkdsk finishes and reports that it's fixed a number of issues. I still don't know for sure that I've fixed the issue with the backups but I'm feeling a little better.</p>
<h2>2017-03-07 06:00 File server D finishes the backup.</h2>
<p>Finally, I can breathe a huge sigh of relief after a full week of outages and issues everything seems to be running normally again.</p>
<h2>Over the next few months</h2>
<p>Over the new few months, I worked to decommission this setup and move to a more robust design, including shutting down our VMs and migrating many of our services to the cloud. This system is now thankfully no longer in use and I can sleep easier knowing I will never again need to go through that ordeal.</p>
<p>Also importantly, I've learned the hard way about the importance of proactive maintenance and not having a single point of failure. Fortunately, in this case, there was no data loss, but it came far too close for comfort.</p>The bicycle side channel2017-11-30T07:00:00+08:002017-11-30T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-11-30:/the-bicycle-side-channel.html<p>There is a problem with most cryptographic systems, it's not new and it affects most systems.</p>
<p>Most formal definitions of a "Perfect security" within cryptography (think One Time Pads) still allow for a few things to be leaked; the size of the messages, the sender and receiver of the messages …</p><p>There is a problem with most cryptographic systems, it's not new and it affects most systems.</p>
<p>Most formal definitions of a "Perfect security" within cryptography (think One Time Pads) still allow for a few things to be leaked; the size of the messages, the sender and receiver of the messages, and the frequency and number of the messages. These are generally considered out of scope and seen as a protocol problem, not a cryptography one.</p>
<p>When I was first introduced to this problem it was called the "The bicycle side channel". Imagine that Alice and Bob have brought their daughter Eve a bicycle for Christmas along with some other presents. They have wrapped all the gifts up in wrapping paper and placed them Christmas tree.</p>
<p>Eve is curious about what gifts might be coming for Christmas but doesn't want to tear the wrapping paper because then her parents will find out that she has peaked. But she can count the number of presents, and she can look at the labels to see who they are from and who they are for, and with one gift she can tell from the shape that it's a bicycle. Maybe she can't tell what colour it is, or which brand, but even wrapped in paper it still looks like a bike.</p>
<p>Consider the image below.</p>
<p><img alt="Image Name" src="https://xo.tc/images/giftwrapped-airliner.png"></p>
<blockquote>
<p><strong>Author:</strong> <a href="https://commons.wikimedia.org/wiki/File:Alliance_Airlines_Fokker_F70_wrapped_up_at_Brisbane_Airport_%28cropped%29.jpg">Brisbane Airport, Photographer Sarah Whyte</a></p>
</blockquote>
<p>Despite the fact that it's entirely gift wrapped, even with a little bow around it. I think most people can still work out that it's an airliner. Those of you who know a lot about aviation might even be able to work out that it's a Fokker F70 based on things like the shape and height of the wings. Sure you might not be able to read the registration number on the tail but you still know what it is.</p>
<p>To bring this metaphor back to cryptosystems imagine the Tor network is just starting off and there are only 5 users currently connected. Four are reading Wikipedia articles, and one is watching YouTube. If you saw a graph of how much traffic was going to and from each node, you could easily work out which user was watching YouTube.</p>
<p>As the size of the network grows this get more complex but there was some serious research into decloaking Tor users with nothing more than <a href="https://blog.torproject.org/traffic-correlation-using-netflows">Cisco NetFlow</a>. There was another great <a href="https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf">paper</a> that looked at the information leaked by HTTPS connections just based on the size of the messages.</p>
<p>Some networks such as <a href="https://geti2p.net/">I2P</a> do take this into account and try to send fixed size (padded) messages at a fixed interval so while the I2P router is running it will be relaying messages or just sending and receiving junk to make it hard to tell when a connection is actively being used let alone who is doing what. Of course, this is a trade-off between performance of the network and secrecy and in system design, you need to choose do you try to foil metadata analysis or do you try for maximum performance.</p>Installing Duplicati on an Arch Linux Laptop2017-11-23T07:00:00+08:002017-11-23T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-11-23:/installing-duplicati-on-an-arch-linux-laptop.html<p>For this setup I'm using <a href="https://www.duplicati.com/">Duplicati</a> to backup to <a href="https://www.backblaze.com">Backblaze</a>. In a previous post I've written some <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>.</p>
<h2>Installing</h2>
<p>To install Duplicati simply run</p>
<div class="highlight"><pre><span></span><code>git clone https://aur.archlinux.org/duplicati-latest.git
cd duplicati-latest
makepkg -si
</code></pre></div>
<p>Then enable and start the service</p>
<div class="highlight"><pre><span></span><code>sudo systemctl enable duplicati …</code></pre></div><p>For this setup I'm using <a href="https://www.duplicati.com/">Duplicati</a> to backup to <a href="https://www.backblaze.com">Backblaze</a>. In a previous post I've written some <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>.</p>
<h2>Installing</h2>
<p>To install Duplicati simply run</p>
<div class="highlight"><pre><span></span><code>git clone https://aur.archlinux.org/duplicati-latest.git
cd duplicati-latest
makepkg -si
</code></pre></div>
<p>Then enable and start the service</p>
<div class="highlight"><pre><span></span><code>sudo systemctl enable duplicati.service
sudo systemctl start duplicati.service
</code></pre></div>
<h2>Setup Backups</h2>
<p>Once duplicati has started browse to <a href="http://localhost:8200">http://localhost:8200</a></p>
<p>The first message I got on Arch was asking if duplicati would be running on a multi-user system. I picked "No, my machine only has a single account".</p>
<p><img alt="Duplicati Arch Multi-User" src="https://xo.tc/images/duplicati-arch-01-multi-user.png"></p>
<p>Now click on Add Backup > Configure a new backup > Next</p>
<p><img alt="Duplicati Arch New Backup" src="https://xo.tc/images/duplicati-arch-02-new-backup.png"></p>
<p>Give your backups a name, you don't need to use encryption but I'd highly recommend it, and I'd also recommend using their password generator and saving the password in a password manager.</p>
<p><img alt="Duplicati Arch Setup General" src="https://xo.tc/images/duplicati-arch-03-settings-general.png"></p>
<p>Pick B2 Cloud Storage, put in your Bucket Name, a folder path, your account ID and your application key (from the <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>). It's also a good idea to test your connection before continuing.</p>
<p><img alt="Duplicati Arch Setup Destination" src="https://xo.tc/images/duplicati-arch-04-settings-destination.png"></p>
<p>Select your source data</p>
<p><img alt="Duplicati Arch Setup Source Data" src="https://xo.tc/images/duplicati-arch-05-settings-source-data.png"></p>
<p>Setup a schedule that works for you, the default on of once a day is pretty reasonable for most personal backups.</p>
<p><img alt="Duplicati Arch Setup Schedule" src="https://xo.tc/images/duplicati-arch-06-settings-schedule.png"></p>
<p>Unless you have a reason to change them I'd leave the default options.</p>
<p><img alt="Duplicati Arch Setup Options" src="https://xo.tc/images/duplicati-arch-07-settings-options.png"></p>
<p>And your done, you can hit Run now to start the backups or just wait for the schedule to kick in.</p>
<p><img alt="Duplicati Windows Setup" src="https://xo.tc/images/duplicati-arch-08-finished.png"></p>
<p>It's that easy.</p>Installing Duplicati on a headless Debian Linux server2017-11-16T07:00:00+08:002017-11-16T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-11-16:/installing-duplicati-on-a-headless-debian-linux-server.html<p>For this setup I'm using <a href="https://www.duplicati.com/">Duplicati</a> to backup to <a href="https://www.backblaze.com">Backblaze</a>. In a previous post I've written some <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>.</p>
<h2>SSH into the server</h2>
<p>The first thing we have to do is to SSH into the server, because Duplicati will be running as a web service on port …</p><p>For this setup I'm using <a href="https://www.duplicati.com/">Duplicati</a> to backup to <a href="https://www.backblaze.com">Backblaze</a>. In a previous post I've written some <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>.</p>
<h2>SSH into the server</h2>
<p>The first thing we have to do is to SSH into the server, because Duplicati will be running as a web service on port 8200 we need to forward connections to that port. Because I've already got Duplicati running on my desktop port 8200 is already taken so I'm going to be forwarding port 8000 on my desktop to port 8200 on the headless Linux server.</p>
<p>In PuTTY open go to Connections > SSH > Tunnels</p>
<p><img alt="Duplicati Putty Forwarding Ports" src="https://xo.tc/images/duplicati-debian-01-putty-setup.png"></p>
<p>Set the source port to <code>8000</code> and the destination to <code>localhost:8200</code> then hit Add</p>
<p><img alt="Duplicati Putty Forwarding Ports" src="https://xo.tc/images/duplicati-debian-02-putty-setup.png"></p>
<p>Or if your SSHing in from a Linux desktops then use <code>ssh example.com -L 8000:localhost:8200</code></p>
<h2>Installing</h2>
<p>Head over to the <a href="https://www.duplicati.com/download">Duplicati download page</a> and copy the link to the Debian installer (in Firefox you can right click > copy link location)</p>
<p><img alt="Duplicati download" src="https://xo.tc/images/duplicati-debian-03-link-location.png"></p>
<p>Then download the file on the server</p>
<div class="highlight"><pre><span></span><code>wget https://updates.duplicati.com/beta/duplicati_2.0.2.1-1_all.deb
</code></pre></div>
<p>Then run the installer using apt (not <code>apt-get</code>)</p>
<div class="highlight"><pre><span></span><code>sudo apt install ./duplicati_2.0.2.1-1_all.deb
</code></pre></div>
<p>If you don't already have Mono installed this will bring a lot of dependencies with it.</p>
<p>Finally enable and start the service</p>
<div class="highlight"><pre><span></span><code>sudo systemctl <span class="nb">enable</span> duplicati.service
sudo systemctl start duplicati.service
</code></pre></div>
<p>I found I needed to wait about 45 seconds for the service to start accepting connections.</p>
<h2>Setup Backups</h2>
<p>Once Duplicati is installed open your web browser and go to <a href="http://localhost:8000">http://localhost:8000</a></p>
<p><img alt="Duplicati Debian Home" src="https://xo.tc/images/duplicati-debian-04-setup-home.png"></p>
<p>Click on Add Backup > Configure a new backup > Next</p>
<p><img alt="Duplicati Debian New Backup" src="https://xo.tc/images/duplicati-debian-05-setup-new-backup.png"></p>
<p>Give your backups a name, you don't need to use encryption but I'd highly recommend it, and I'd also recommend using their password generator and saving the password in a password manager.</p>
<p><img alt="uplicati Debian Setup General" src="https://xo.tc/images/duplicati-debian-06-setup-general.png"></p>
<p>Pick B2 Cloud Storage, put in your Bucket Name, a folder path, your account ID and your application key (from the <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>). It's also a good idea to test your connection before continuing.</p>
<p><img alt="Duplicati Debian Setup Destination" src="https://xo.tc/images/duplicati-debian-07-setup-destination.png"></p>
<p>Select your source data</p>
<p><img alt="Duplicati Debian Setup Source Data" src="https://xo.tc/images/duplicati-debian-08-setup-source-data.png"></p>
<p>Setup a schedule that works for you, the default on of once a day is pretty reasonable for most personal backups.</p>
<p><img alt="Duplicati Debian Setup Schedule" src="https://xo.tc/images/duplicati-debian-09-setup-schedule.png"></p>
<p>Unless you have a reason to change them I'd leave the default options.</p>
<p><img alt="Duplicati Debian Setup Options" src="https://xo.tc/images/duplicati-debian-10-setup-options.png"></p>
<p>And your done, you can hit Run now to start the backups or just wait for the schedule to kick in.</p>
<p><img alt="Duplicati Debian Setup Finished" src="https://xo.tc/images/duplicati-debian-11-finished.png"></p>
<p>It's that easy.</p>Installing Duplicati on Windows 102017-11-09T07:00:00+08:002017-11-09T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-11-09:/installing-duplicati-on-windows-10.html<p>For this setup I'm using <a href="https://www.duplicati.com/">Duplicati</a> to backup to <a href="https://www.backblaze.com">Backblaze</a>. In a previous post I've written some <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>.</p>
<h2>Install</h2>
<p>First head on over to <a href="https://www.duplicati.com/download">Duplicati</a> and download the latest version for Windows (at the time of this writing that's 2.0.2.1)</p>
<p>Start the installer …</p><p>For this setup I'm using <a href="https://www.duplicati.com/">Duplicati</a> to backup to <a href="https://www.backblaze.com">Backblaze</a>. In a previous post I've written some <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>.</p>
<h2>Install</h2>
<p>First head on over to <a href="https://www.duplicati.com/download">Duplicati</a> and download the latest version for Windows (at the time of this writing that's 2.0.2.1)</p>
<p>Start the installer</p>
<p><img alt="Duplicati Windows Installer" src="https://xo.tc/images/duplicati-windows-01-installer.png"></p>
<p>Accept the GPL License</p>
<p><img alt="Duplicati Windows License" src="https://xo.tc/images/duplicati-windows-02-gpl-license.png"></p>
<p>Accept the default setup</p>
<p><img alt="Duplicati Windows Setup" src="https://xo.tc/images/duplicati-windows-03-setup.png"></p>
<p>Click on Install</p>
<p><img alt="Duplicati Windows Install" src="https://xo.tc/images/duplicati-windows-04-install.png"></p>
<p>Hit Finish to launch Duplicati</p>
<p><img alt="Duplicati Windows Install" src="https://xo.tc/images/duplicati-windows-05-install-finished.png"></p>
<h2>Launch</h2>
<p>Duplicati should automatically launch in your default web browser after installing. If it doesn't, simply open your web browser and go to <a href="http://localhost:8200/ngax/index.html">http://localhost:8200/ngax/index.html</a></p>
<p><img alt="Duplicati Windows Home" src="https://xo.tc/images/duplicati-windows-06-home.png"></p>
<h2>Setup backups</h2>
<p>Click on Add Backup > Configure a new backup > Next</p>
<p><img alt="Duplicati Windows New Backup" src="https://xo.tc/images/duplicati-windows-07-add-backup.png"></p>
<p>Give your backups a name, you don't need to use encryption but I'd highly recommend it, and I'd also recommend using their password generator and saving the password in a password manager.</p>
<p><img alt="Duplicati Windows Setup General" src="https://xo.tc/images/duplicati-windows-08-setup-general.png"></p>
<p>Pick B2 Cloud Storage, put in your Bucket Name, a folder path, your account ID and your application key (from the <a href="https://xo.tc/setting-up-backblaze-for-duplicati.html">instructions on setting up Backblaze</a>). It's also a good idea to test your connection before continuing.</p>
<p><img alt="Duplicati Windows Setup Destination" src="https://xo.tc/images/duplicati-windows-09-setup-destination.png"></p>
<p>Select your source data</p>
<p><img alt="Duplicati Windows Setup Source Data" src="https://xo.tc/images/duplicati-windows-10-setup-source-data.png"></p>
<p>Setup a schedule that works for you, the default on of once a day is pretty reasonable for most personal backups.</p>
<p><img alt="Duplicati Windows Setup Schedule" src="https://xo.tc/images/duplicati-windows-11-setup-schedule.png"></p>
<p>Unless you have a reason to change them I'd leave the default options.</p>
<p><img alt="Duplicati Windows Setup Options" src="https://xo.tc/images/duplicati-windows-12-setup-options.png"></p>
<p>And your done, you can hit Run now to start the backups or just wait for the schedule to kick in.</p>
<p><img alt="Duplicati Windows Setup" src="https://xo.tc/images/duplicati-windows-13-setup-run-now.png"></p>
<p>It's that easy.</p>
<p><img alt="Duplicati Windows Setup Finished" src="https://xo.tc/images/duplicati-windows-14-running.png"></p>Setting up Backblaze for Duplicati2017-11-02T07:00:00+08:002017-11-02T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-11-02:/setting-up-backblaze-for-duplicati.html<p>I've been <a href="https://xo.tc/crashplan-personal-is-shutting-down.html">looking</a> for new backup software for a few months and I've found <a href="https://www.duplicati.com/">Duplicati</a>. I'm absolutely stoked with it, it does everything I want from backup software.</p>
<p>Duplicati can backup to a number of different locations and there are several cloud options but I've chosen to go with <a href="https://www.backblaze.com/">Backblaze …</a></p><p>I've been <a href="https://xo.tc/crashplan-personal-is-shutting-down.html">looking</a> for new backup software for a few months and I've found <a href="https://www.duplicati.com/">Duplicati</a>. I'm absolutely stoked with it, it does everything I want from backup software.</p>
<p>Duplicati can backup to a number of different locations and there are several cloud options but I've chosen to go with <a href="https://www.backblaze.com/">Backblaze</a>. I like them because they are extremely open with the design of their <a href="https://www.backblaze.com/b2/storage-pod.html">Storage Pods</a>. Not just on how they work but releasing all the information you need to go and actually build one yourself.</p>
<p>It doesn't hurt that Backblaze are <a href="https://www.backblaze.com/b2/cloud-storage-pricing.html">cheaper</a> than Amazon S3<sup id="fnref:cheaper"><a class="footnote-ref" href="#fn:cheaper">1</a></sup> and will <a href="https://www.backblaze.com/restore.html">mail you</a> a hard drive with your data. Something that CrashPlan <a href="https://xo.tc/crashplan-no-longer-offer-restore-to-door-service.html">used to do</a> until a few years ago.</p>
<h2>Signing up to Backblaze</h2>
<p>So the first part of setting up Duplicati is setting somewhere to send your backups to, head over to the Backblaze B2 <a href="https://www.backblaze.com/b2/cloud-storage.html">sign up page</a> and click Sign up today</p>
<p><img alt="Sign up to backblaze" src="https://xo.tc/images/backblaze-b2-signup-1.png"></p>
<p>Put in a username and password<sup id="fnref:password"><a class="footnote-ref" href="#fn:password">2</a></sup></p>
<p><img alt="Sign up to backblaze - password" src="https://xo.tc/images/backblaze-b2-signup-2-username-and-password.png"></p>
<p>I was told I needed a phone number</p>
<p><img alt="Sign up to backblaze - phone" src="https://xo.tc/images/backblaze-b2-signup-3-phone-number.png"></p>
<p>So I entered my phone number</p>
<p><img alt="Sign up to backblaze - phone" src="https://xo.tc/images/backblaze-b2-signup-4-phone-number-code.png"></p>
<p>and enabled 2-factor authentication</p>
<p><img alt="Sign up to backblaze - 2-factor authentication" src="https://xo.tc/images/backblaze-b2-signup-5-two-factor.png"></p>
<h2>Create a bucket</h2>
<p>Next go to Buckets > Create a Bucket</p>
<p><img alt="backblaze - Create Bucket" src="https://xo.tc/images/backblaze-b2-create-bucket.png"></p>
<p>Once the bucket is created click on "Show Account ID and Application Key" then "Create Application Key".</p>
<p><img alt="backblaze - Account ID and Application Key" src="https://xo.tc/images/backblaze-b2-account-id-and-application-key.png"></p>
<p>Record this Application Key and keep it safe, we will need it to setup Duplicati</p>
<p>Now we are ready to install Duplicati. Over the next few weeks I'm going to do posts on:</p>
<ul>
<li>Installing Duplicati on Windows 10</li>
<li>Installing Duplicati on a headless Debian Linux server</li>
<li>Installing Duplicati on an Arch Linux Laptop</li>
</ul>
<div class="footnote">
<hr>
<ol>
<li id="fn:cheaper">
<p>and the same price as Amazon Glacier in Sydney <a class="footnote-backref" href="#fnref:cheaper" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:password">
<p>I found that passwords are limited to 50 characters, which isn't great but it's not too restrictive. <a class="footnote-backref" href="#fnref:password" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Just use subdomains2017-10-26T07:00:00+08:002017-10-26T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-10-26:/just-use-subdomains.html<p>Recently Brian Krebs <a href="https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/">ran a story</a> about a domain that dell forgot to renew and lost control of for a period of time.</p>
<p>One thing that I noticed from the story was that the domain was DellBackupAndRecoveryCloudStorage.com.</p>
<p>I have no idea why large organisations insist on registering new domains …</p><p>Recently Brian Krebs <a href="https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/">ran a story</a> about a domain that dell forgot to renew and lost control of for a period of time.</p>
<p>One thing that I noticed from the story was that the domain was DellBackupAndRecoveryCloudStorage.com.</p>
<p>I have no idea why large organisations insist on registering new domains like that, DellBackupAndRecoveryCloudStorage.com could so easily be part of a command and control system just trying to stay stealthy. I remember the recent launch of AmazonLightsail.com, my first though was "is this a phishing domain"? Anyone could have registered these domains, it could be Jo from down the street.</p>
<p>Why not setup BackupAndRecoveryCloudStorage.dell.com or use lightsail.aws.amazon.com? That way it's clear who controls the domain, and makes life easier for network admins that want whitelist, filter or inspect traffic.</p>Email addresses with apostrophes and mail loops2017-10-19T07:00:00+08:002017-10-19T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-10-19:/email-addresses-with-apostrophes-and-mail-loops.html<p>Recently we encountered an issue sending an email from one domain, hosted on Office 365 to another domain also hosted on Office 365. The destination email address had an apostrophe e.g. tim.o'reilly@example.org and we were getting the error message. <code>554 5.4.14 Hop count exceeded …</code></p><p>Recently we encountered an issue sending an email from one domain, hosted on Office 365 to another domain also hosted on Office 365. The destination email address had an apostrophe e.g. tim.o'reilly@example.org and we were getting the error message. <code>554 5.4.14 Hop count exceeded - possible mail loop</code></p>
<p>When we removed the apostrophe from the email address the email got through ok.</p>
<p>But the error message still didn't make sense to me. Firstly, while rare an email address with an apostrophe is <a href="https://en.wikipedia.org/wiki/Email_address#Examples">technically valid</a>. And secondly if an address doesn't exist I would expect a <code>550 5.1.10 Recipient not found</code> or similar message rather than "Hop count exceeded".</p>
<p>As it turned out the apostrophe was a red herring. The destination domain was a hybrid Office 365 deployment, and for any address where the local part did not exist Office 365, the mail was forwarded to the onsite server, which in turn would forward to the Office 365 server.</p>
<p><img alt="Mail Loop" src="https://xo.tc/images/mail-loop.png"></p>
<p>After getting this error, I tried a few different mail serves with apostrophes and that Office 365, Gmail, EXIM4 on Debian and Yahoo Mail all work ok with apostrophes.</p>A national identity system2017-10-12T07:00:00+08:002017-10-12T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-10-12:/a-national-identity-system.html<p>A national identity system is something I've been thinking about a lot lately. No real answers here, just musings...</p>
<h2>The Problem</h2>
<p>There are many departments at all levels of Government that need to track people for various reasons, but each implements its own system and no system is universal;</p>
<h2>The …</h2><p>A national identity system is something I've been thinking about a lot lately. No real answers here, just musings...</p>
<h2>The Problem</h2>
<p>There are many departments at all levels of Government that need to track people for various reasons, but each implements its own system and no system is universal;</p>
<h2>The status quo</h2>
<p>In the United States of America, a Social Security is the de facto standard, CGP Grey made a great video <a href="https://www.youtube.com/watch?v=Erp8IAUouus">Social Security Cards Explained</a> which covers some of the problems with that.</p>
<p>In Australia,</p>
<ul>
<li>At the Federal level, there is the Australian Tax Office, with whom most people have a Tax File Number.</li>
<li>At the State level, there are the Licensing Departments, with whom most people have a Drivers License (and specifically a drivers license number)</li>
<li>At the Local level, there are the local councils, to whom homeowners pay council rates and each council has its own way of tracking people.</li>
</ul>
<p>While things like a <abbr title="Tax File Number">TFN</abbr>, a passport or a drivers license number might cover 90% of the Australian adult population there will be many people that don't have these.</p>
<h2>The ultimate ID card</h2>
<p>I can imagine a national identity system where people get an ID card that is a veritable <a href="https://en.wikipedia.org/wiki/Swiss_Army_knife">Swiss Army knife</a> of modern identity.</p>
<p>The card would have all the usual things on an ID card;</p>
<ul>
<li>Photo</li>
<li>Full Name</li>
<li>Date of birth</li>
<li>Unique ID number<sup id="fnref:Unique-ID"><a class="footnote-ref" href="#fn:Unique-ID">1</a></sup></li>
<li>Validity Dates</li>
</ul>
<p>But the card would also have NFC, with a certificate and private key stored on the card.</p>
<p>The certificate would contain the same information that's visible on the card (e.g. Photo, name, etc...).</p>
<p>Much like with TLS, the certificate would need to be signed by a trusted Certification Authority (e.g. The Federal Government) which would also need to publish a public Certificate Revocation List (<abbr title="Certificate Revocation List">CRL</abbr>) for things like lost or stolen cards.</p>
<h2>The utopian vision</h2>
<p>To make this vision truly utopian, the standards used by the card would all need to be fully open and public. That way anyone could make use of the cards, not just the Government.</p>
<p>At the moment I've got about a dozen ID cards in my a wallet. An RFID card the building I work in, A Mifare card for our public transport system, my driver's license and so on.</p>
<p>Imagine if I could just give my Unique ID number to my employer, who could add that into the system and I could use my Government issued ID card to open the doors at work. I could use that same card for public transport, my local library, my driver's license<sup id="fnref:drivers-license"><a class="footnote-ref" href="#fn:drivers-license">2</a></sup>, or the Hackerspace down the road.</p>
<p>Better yet if you're using a PC / laptop / smartphone with NFC, the card could act as a <a href="https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html">universal second factor</a>. You swipe your ID card over an NFC reader, which gives the "Something you have" and automatically populates your username, and then enter your password.</p>
<p>There is no reason this would have to be just one country. If the standards were open and public any nation (or anyone at all) could start issuing compatible cards. Want your system to accept cards from Bangladesh? No problem just add their root CA. Don't trust "Honest Abe's Legitimate Card Issuing Authority"? not a problem, don't add their CA to your root trust.</p>
<p>The possibilities are endless, software companies could build it into their system. What if Adobe Reader (or your PDF viewer of choice) added a way you could use your card to add a cryptographic signature to documents. Just click sign, wave your card over an NFC reader and you're done.</p>
<p>Sure someone could steal your card an sign a document, but it's got to be better than the scanned image of pen on paper that we use now. And that segues nicely into...</p>
<h2>Problems with this system</h2>
<p>There are many problems with this system, but I feel they fall broadly into two main categories, <strong>Privacy implications</strong> and <strong>Implementation issues</strong>.</p>
<h3>Implementation issues</h3>
<p>I'm not going to dig too much into the implementation issues. Suffice to say implementing a system like this would be a herculean task, wouldn't trust commercial companies with vast resources and great expertise like Google or Apple to implement a system like this without at least some hiccups and flaws. Let alone a federal government agency where this sort of project would instantly become a political football and important bits get outsourced to the lowest bidder.</p>
<h3>Privacy implications</h3>
<p>More interesting to look at are the privacy implications. All through my utopian vision, I've assumed a benevolent government, one that builds roads, schools, hospitals, provides social services and support for people in need.</p>
<p>But even if we have a benevolent government today, there is no guarantee we won't have a tyrannical dictator next year.</p>
<p>A national identity card would be a very invasive, especially one that could be tracked each time you use it, by making a query back to base. It might not be quite as <a href="https://en.wikipedia.org/wiki/Orwellian">Orwellian</a> as rolling out a <a href="https://www.efa.org.au/2017/10/07/no-safer-with-facial-recognition/">national facial recognition database</a> but in the near future, we are going to have to ask ourselves.</p>
<p><strong>Do we want to trade the privacy that comes with having many, simple, siloed identity systems; for the convenience and efficiency that could come from a unified digital identity system?</strong></p>
<div class="footnote">
<hr>
<ol>
<li id="fn:Unique-ID">
<p>Actually I'm thinking that it would need two Unique ID's one on the front that says the same for the life of the cardholder, and one on the back that's unique for each card, and would be the fingerprint of the public key. <a class="footnote-backref" href="#fnref:Unique-ID" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:drivers-license">
<p>The idea here is you could read the NFC tag on a tablet which queries a license database (over a public API) and a screen pops up with my name, photo and what types of vehicles I'm allowed to drive. To stop people bulk querying the database, each query would need to be signed by the private key on the card it's looking for, so you would need physical access to the card to query the details. <a class="footnote-backref" href="#fnref:drivers-license" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>SEO spear spamming2017-10-05T07:00:00+08:002017-10-05T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-10-05:/seo-spear-spamming.html<p>I've recently started receiving a new type of spam<sup id="fnref:new-type-of-spam"><a class="footnote-ref" href="#fn:new-type-of-spam">1</a></sup>. It's fairly targeted, so like spear phishing, I'd call this stuff spear spamming.</p>
<p>Instead of regular spam which usually falls into categories like "Buy pills online", "Meet single ladies tonight" and "Open this malware laced attachment" this one is sent …</p><p>I've recently started receiving a new type of spam<sup id="fnref:new-type-of-spam"><a class="footnote-ref" href="#fn:new-type-of-spam">1</a></sup>. It's fairly targeted, so like spear phishing, I'd call this stuff spear spamming.</p>
<p>Instead of regular spam which usually falls into categories like "Buy pills online", "Meet single ladies tonight" and "Open this malware laced attachment" this one is sent by someone trying to improve their search engine rankings or <abbr title="Search Engine Optimization">SEO</abbr>. The emails follow a fairly standard formula with a few deviations.</p>
<blockquote>
<p>Hi {Name}</p>
<p>I just finished going through your article here: {url of a post I've written} Thanks for the resource!</p>
<p>I noticed you mentioned {url of a competitors product, that I've linked to}.</p>
<p>I've recently written up a comprehensive and up-to-date 3,000 word review of {general subject area} that I think your readers would be very interested in.</p>
<p>Check out the post here {url of post looking for SEO}.</p>
<p>Would you consider linking to it in the article of yours I mentioned above? I saw you liked to {competitors product} so I figured I'd see if you'd link to mine as well. Perhaps your visitors would find it helpful.</p>
<p>Kind Regards,</p>
<p>{Name of Author of post looking for SEO}</p>
<p>P.S. I respect the relationship you have with your readers, I wouldn't ask you to link to anything I didn't think was an excellent resource for you guys.</p>
</blockquote>
<p>This is then followed up by a second email exactly<sup id="fnref:exactly"><a class="footnote-ref" href="#fn:exactly">2</a></sup> a week later;</p>
<blockquote>
<p>Hello again -</p>
<p>I figured I'd try one more time :)</p>
<p>Did you happen to get my last email? I imagine you are super busy and ...</p>
</blockquote>
<p>I received one of these messages for a post I'd written about <a href="https://xo.tc/tunneling-data-over-dns.html">Tunneling data over DNS</a>, in the footnotes of that post I give credit saying "This network diagram was drawn with <a href="https://www.draw.io/">draw.io</a>" and I got an SEO email saying they were sure my readers would love to learn more about drawing and art.</p>
<p>Google has been pretty open about the fact that the best way to increase a sites <a href="https://en.wikipedia.org/wiki/PageRank">page rank</a> is to get other websites to link to it. So it makes sense that people would scrape the web looking for sites that link to similar content and ask for a link to their site.</p>
<p>The emails look very good but there are a few telltale signs that there automated. One of the emails I got had an unsubscribe link at the bottom. And all of the emails I've seen have been sent using Google's <a href="https://developers.google.com/gmail/api/">Gmail API</a> and have the header</p>
<blockquote>
<p><code>Received: from {random id} named unknown by gmailapi.google.com with HTTPREST;</code></p>
</blockquote>
<div class="footnote">
<hr>
<ol>
<li id="fn:new-type-of-spam">
<p>By that, I mean new to me, this stuff has probably been around for years but I have only just started seeing it. <a class="footnote-backref" href="#fnref:new-type-of-spam" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:exactly">
<p>In my experience, it's always been within one hour of exactly 7 days. <a class="footnote-backref" href="#fnref:exactly" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Code reuse is good for security2017-09-28T07:00:00+08:002017-09-28T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-09-28:/code-reuse-is-good-for-security.html<p>I was listen to a podcast<sup id="fnref:podcast"><a class="footnote-ref" href="#fn:podcast">1</a></sup> recently and <a href="http://senr.io/team.html">Stephen Ridley from Senrio</a> said "code reuse is vulnerability reuse" and I don't like that.</p>
<p>I don't think Stephen is wrong, I think he is correct in a way and he is a very smart person. The problem is that you …</p><p>I was listen to a podcast<sup id="fnref:podcast"><a class="footnote-ref" href="#fn:podcast">1</a></sup> recently and <a href="http://senr.io/team.html">Stephen Ridley from Senrio</a> said "code reuse is vulnerability reuse" and I don't like that.</p>
<p>I don't think Stephen is wrong, I think he is correct in a way and he is a very smart person. The problem is that you just can't squeeze a huge amount of subtlety and nuance into a three second soundbite.</p>
<p>I believe we are better off overall when we do reuse code. For example I was recently working on a project where I had to take untrusted user input formatted as <a href="http://commonmark.org/">CommonMark</a> and render it as HTML. I could have tried to write my own parser to do that but instead I used the <a href="https://github.com/rtfd/CommonMark-py">CommonMark-py</a> library to change the CommonMark to HTML and then used <a href="https://github.com/mozilla/bleach">Mozilla bleach</a> to whitelist only the HTML tags we want.</p>
<p>Either of those libraries could have horror show bugs in them just waiting to be found and get me pwned, but I'd trust Mozilla to do a better job of sanitizing HTML than I can.</p>
<p>Or in the specific example they were talking about on the podcast; A number of IoT devices were <a href="http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions">using</a> the <a href="https://www.genivia.com/products.html">gSOAP</a> library and there was a remote code execution bug in the library which affected millions of devices. That's bad. But I still think these devices were better off using an existing library than each different vendor trying to write their own SOAP library and getting it wrong in their own unique way<sup id="fnref:unique"><a class="footnote-ref" href="#fn:unique">2</a></sup>.</p>
<p>Importantly though you need a way to track and patch all your libraries quickly and painlessly when issues do inevitably come up.</p>
<p>While code reuse <em>is</em> vulnerability reuse, I'd rather be responsible for software with a large number of (well supported, actively tracked and easily patched) 3rd party libraries than need to look after software where everything is written in house.</p>
<p>On balance I think that "code reuse is good for security"</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:podcast">
<p><a href="https://risky.biz/RB465/">Risky Business #465</a> At 43:28 in. <a class="footnote-backref" href="#fnref:podcast" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:unique">
<p>Although this brings up another issue which is that monoculture is bad, because when a vulnerability does crop up it can spread like wild fire. <a class="footnote-backref" href="#fnref:unique" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Looking through GitHub's DMCA takedowns2017-09-21T07:00:00+08:002017-09-21T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-09-21:/looking-through-githubs-dmca-takedowns.html<p>GitHub publish a copy of all the <a href="https://github.com/github/dmca">DMCA takedown notices GitHub receives</a>.</p>
<p>One thing I found very interesting was looking at their <a href="https://github.com/github/dmca/graphs/contributors">graphs</a> showing the number of commits over time.</p>
<p><img alt="GitHub DMCA takedowns" src="https://xo.tc/images/github-dmca-takedowns.png"></p>
<p>Of course, this doesn't necessarily mean that DMCA takedowns are being issued more often in general, it could simply be …</p><p>GitHub publish a copy of all the <a href="https://github.com/github/dmca">DMCA takedown notices GitHub receives</a>.</p>
<p>One thing I found very interesting was looking at their <a href="https://github.com/github/dmca/graphs/contributors">graphs</a> showing the number of commits over time.</p>
<p><img alt="GitHub DMCA takedowns" src="https://xo.tc/images/github-dmca-takedowns.png"></p>
<p>Of course, this doesn't necessarily mean that DMCA takedowns are being issued more often in general, it could simply be a reflection of GitHub's own growth over time. Personally, I suspect it's a mix of the two, both that GitHub is becoming a more popular place to store things online, and that more and more DMCA takedown notices are being issued every day.</p>
<p>I think that our copyright system is badly broken, in particular the approach that many sites (not specifically GitHub<sup id="fnref:not-github"><a class="footnote-ref" href="#fn:not-github">1</a></sup>) are forced to take is very "guilty until proven innocent" where content is removed first with the option to appeal later, and there is little recourse against organisations that submit inaccurate takedown requests.</p>
<p>However, I find it hard to get too worked up about the notices on GitHub, having looked through a few of them, most seem to be fairly tightly targeted and aimed at a single repository of clearly infringing content. In fact I was surprised how many of them were for .pdf copies of books and not for code at all.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:not-github">
<p>GitHub actually have the phrase "Users identified in the notices are presumed innocent until proven guilty", although I'm not sure exactly how that works. If they are getting less than 40 per day it's conceivable they have a real human being looking at each of the notices. Actioning the ones that are simple and investigating or flagging ones that might be a grey area. <a class="footnote-backref" href="#fnref:not-github" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Does Microsoft's Office 365 licensing model encourage poor security practices?2017-09-14T07:00:00+08:002017-09-14T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-09-14:/does-microsofts-office-365-licensing-model-encourage-poor-security-practices.html<p>I've recently survived a migration to Office 365 with relatively few scars and coming out only slightly more cynical, bitter and twisted than I was when I when I started<sup id="fnref:cynical-bitter-and-twisted"><a class="footnote-ref" href="#fn:cynical-bitter-and-twisted">1</a></sup>.</p>
<p>I remember speaking to a Microsoft sales rep at some conference or other, they said that in Office 365 …</p><p>I've recently survived a migration to Office 365 with relatively few scars and coming out only slightly more cynical, bitter and twisted than I was when I when I started<sup id="fnref:cynical-bitter-and-twisted"><a class="footnote-ref" href="#fn:cynical-bitter-and-twisted">1</a></sup>.</p>
<p>I remember speaking to a Microsoft sales rep at some conference or other, they said that in Office 365 you only need to buy one license per users. That's it, and a user was unofficially defined as a living breathing bag of meat that has an Office 365 account.</p>
<ul>
<li>No more worrying about buying CALs for printers and photocopiers</li>
<li>No need to buy an extra license for users who had a regular account and an administrative account</li>
<li>No extra CALs because someone wants their emails on their phone <em>and</em> their laptop at the same time</li>
<li>No need to license accounts used by system scripts and scheduled tasks.</li>
<li>No worries about Per-Core vs Per-CPU licensing</li>
<li>No need to license unused CPU cores because a VM could potentially be migrated in a failover situation.</li>
<li>No weird definition of "User"<sup id="fnref:who-is-a-user"><a class="footnote-ref" href="#fn:who-is-a-user">2</a></sup></li>
</ul>
<p>Just one license per person. Simple. I was quite surprised.</p>
<p>It turns out that's not quite correct, while you don't <em>have to</em> license <abbr title="Multifunction Devices (i.e. Photocopiers)">MFDs</abbr>. In practice, if you want your photocopiers and scanners to be able to authenticate and send email using Office 365 they are going to need an account.</p>
<p>There is a work around for this, I could setup a shared account scanner@example.com, shared accounts don't need a license. I could give my account Michael.VanDelft@example.com 'Send As' permission. Then I can then setup the photocopiers to authenticate with my credentials and send email as scanner@example.com. While that's totally ok from an Office 365 licensing perspective I'm left with my username and password stored in a bunch of poorly secured photocopiers and I can't change my password without breaking the scan to email function on all our photocopiers.</p>
<p>There are some other <a href="https://support.office.com/en-us/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4">work arrounds</a> for this, but they either involve direct send or running an SMTP relay and neither option is great.</p>
<p>We have a plethora of things which send email, not just photocopiers but system monitoring tools, our backup software sends reports, several system scripts, our financial system, even our firewall emails alerts occasionally.</p>
<p>If we want these all these things to send emails through Office 365 so we get DMARC, TLS, Authentication and all that other goodness that comes with a well-configured mail server we need to license them.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:cynical-bitter-and-twisted">
<p>Although it's possible that I've almost reached peak cynical saturation and simply couldn't have got any more bitter and twisted even if it had been a migration to Oracle's god-awful "Oracle Communications Messaging Server". <a class="footnote-backref" href="#fnref:cynical-bitter-and-twisted" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:who-is-a-user">
<p>We were once looking at Microsoft SQL server and we were told that if we had some software (e.g. accounting software) that used a single account to connect to the database, anyone who used that software was a "user" of the database, even if we only had one account setup in SQL server. Fair enough, I guess. But then they extrapolated that to say that if we used a CMS like WordPress with Microsoft SQL server as the back end, then we would need a license for everyone who viewed or commented on our website as they too would be a "user" of our database. Needless to say, we went with Per-Core licensing rather than per user. I've since been told that this is not correct by a number of "Microsoft Licensing Experts" however it's what we were told at the time by our reseller who was a "Microsoft Gold Certified Partner". <a class="footnote-backref" href="#fnref:who-is-a-user" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>CrashPlan personal is shutting down2017-09-07T07:00:00+08:002017-09-07T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-09-07:/crashplan-personal-is-shutting-down.html<p>I’m currently using CrashPlan to back up my home server, desktop, laptop and a few computers for family members. I’ve been fairly happy with it and it ticks most of the boxes. But I recently got the email saying that <a href="https://www.crashplan.com/en-us/consumer/nextsteps/">CrashPlan for home will be shutdown</a>.</p>
<p>So now …</p><p>I’m currently using CrashPlan to back up my home server, desktop, laptop and a few computers for family members. I’ve been fairly happy with it and it ticks most of the boxes. But I recently got the email saying that <a href="https://www.crashplan.com/en-us/consumer/nextsteps/">CrashPlan for home will be shutdown</a>.</p>
<p>So now I'm on the hunt for some new backup software. The features I’m looking for are:</p>
<ul>
<li>Must be Cross Platform (Window and Linux, I don’t need Mac but it would be nice)</li>
<li>Must be able to run on a headless Linux server</li>
<li>Must be able to do incremental backups at the file level (e.g. If I’ve got a 20GB QCOW2 file and 100Mb of that changes I don’t want to reupload 20GB)</li>
<li>Must be able to restore file revisions (not just the latest version like if I just used Rsync)</li>
<li>Must be able to encrypt backups locally before uploading them</li>
<li>Should be able to upload to some sort of “Cloud” offering. I don’t mind whether that’s the backup vendor’s infrastructure or something public like Amazon S3</li>
<li>Should be able to do continuous backups (CrashPlan could run every 15 minutes, that's pretty good)</li>
<li>Would be nice if it was also able to back up to a server I control or other desktops.</li>
<li>Would be nice if it could backup to a physical drive (external USB hard drive)</li>
<li>Would be nice if it was open source</li>
<li>Would be nice if it also had a pretty GUI, although I’d take an ugly and difficult system that's set and forget over a pretty GUI that needs tending regularly.</li>
</ul>
<p>I realise that’s quite a long list but other than headless Linux support I think most of it is pretty mainstream requirements for a backup tool.</p>Are outbound firewalls worthwhile?2017-08-31T07:00:00+08:002017-08-31T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-08-31:/are-outbound-firewalls-worthwhile.html<p>I was recently setting up a server on Microsoft's Azure platform from work and by default Azure pick I high port number<sup id="fnref:high-port-number"><a class="footnote-ref" href="#fn:high-port-number">1</a></sup> and NAT it to port 3389 for RDP. I must have spent a good hour trying to work out why I couldn't connect to the server when …</p><p>I was recently setting up a server on Microsoft's Azure platform from work and by default Azure pick I high port number<sup id="fnref:high-port-number"><a class="footnote-ref" href="#fn:high-port-number">1</a></sup> and NAT it to port 3389 for RDP. I must have spent a good hour trying to work out why I couldn't connect to the server when I finally realized that I hadn't unblocked the port I was trying to connect on in our outbound firewall.</p>
<p>Now I'm <a href="https://xo.tc/changing-ssh-from-port-22.html">skeptical</a> of the value of changing port numbers to hide services anyway but also don't know how much value, if any our outbound firewall add either.</p>
<p>On the one hand, we allow ports 22 and 443 outbound so it's easy for someone to tunnel over ssh or proxy through a HTTPS website. Basically, if someone wants to connect out of our network, the firewall not going to stop them.</p>
<p>On the other hand, we don't open port 23 so if someone brought in a home route infected with Mirai and it tried to telnet out to infect others, or some other dumb worm that uses a port we don't have open then our firewall would at least block that.</p>
<p>So like many defenses in depth things, by itself, it's not going to make much difference, but it's one more layer that malware needs to get around.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:high-port-number">
<p>I read somewhere that it's a random number in the range 49152-65535 but couldn't find official documentation to back that up. <a class="footnote-backref" href="#fnref:high-port-number" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Review of Fatal Flight: The True Story of Britain's Last Great Airship2017-08-24T07:00:00+08:002017-08-24T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-08-24:/review-of-fatal-flight-the-true-story-of-britains-last-great-airship.html<p>I've just finished listening to <a href="http://www.engineerguy.com/airship/">Fatal Flight: The True Story of Britain's Last Great Airship</a> and it is, in a word "Brilliant".</p>
<p>When I started this blog I intended to put up several book reviews, a year and half later, this is my second book review.</p>
<p>Bill Hammack is an …</p><p>I've just finished listening to <a href="http://www.engineerguy.com/airship/">Fatal Flight: The True Story of Britain's Last Great Airship</a> and it is, in a word "Brilliant".</p>
<p>When I started this blog I intended to put up several book reviews, a year and half later, this is my second book review.</p>
<p>Bill Hammack is an incredibly eloquent author and can turn the most seemingly mundane of topics into a fascinating story.</p>
<p>In the book, Bill explores the story of R101 "Britain's Last Great Airship" the people that built it and why it ultimately failed<sup id="fnref:failed"><a class="footnote-ref" href="#fn:failed">1</a></sup>.</p>
<p>As an engineer, Bill is well equipped to look at the technical details, but he also does an outstanding job of examining the political reasons why airships failed, both for R101 specifically and British airships generally.</p>
<p>While the book is not related to information security, in fact, it's not even related to information technology, it's one of those books that I think would enrich the knowledge of anyone working on large projects be they engineering or otherwise.</p>
<p>Bill has generously released the audiobook as Creative Commons and I would encourage anyone to go over to his site and <a href="http://www.engineerguy.com/airship/">download a copy</a>. </p>
<div class="footnote">
<hr>
<ol>
<li id="fn:failed">
<p>This was partly the inspiration for last weeks post on <a href="https://xo.tc/learning-from-failure.html">learning from failure</a> <a class="footnote-backref" href="#fnref:failed" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Learning from failure2017-08-17T07:00:00+08:002017-08-17T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-08-17:/learning-from-failure.html<p>Recently I watched a video by Tom Scott about a <a href="https://www.youtube.com/watch?v=PfdBTsyrqaI">Museum of Failure</a>. It's a fascinating video and well worth watching.</p>
<p>Often there is a lot of emphases put on learning from the great successes, seeing what successful people or projects have done and trying to emulate them. But learning …</p><p>Recently I watched a video by Tom Scott about a <a href="https://www.youtube.com/watch?v=PfdBTsyrqaI">Museum of Failure</a>. It's a fascinating video and well worth watching.</p>
<p>Often there is a lot of emphases put on learning from the great successes, seeing what successful people or projects have done and trying to emulate them. But learning from failure is just as important and often overlooked.</p>
<p>Seeing where projects have gone wrong and how to avoid those weaknesses in the future can be incredibly beneficial.</p>
<p>I remember being told once that</p>
<blockquote>
<p>You never really understand the value in things like project management and it's easy to see them as needless overhead, until you have worked on a project that has failed.</p>
</blockquote>Reuse before buy before build2017-08-10T07:00:00+08:002017-08-10T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-08-10:/reuse-before-buy-before-build.html<p>Yesterday I was at a <abbr title="Chief Information Officer">CIO</abbr> forum and one of the presentations was about Enterprise Architecture Planning within the West Australian State Government. They were pushing the idea that government departments should work together as a single organisation rather than as separate and sometimes competing entities and they used the …</p><p>Yesterday I was at a <abbr title="Chief Information Officer">CIO</abbr> forum and one of the presentations was about Enterprise Architecture Planning within the West Australian State Government. They were pushing the idea that government departments should work together as a single organisation rather than as separate and sometimes competing entities and they used the phrase:</p>
<blockquote>
<p>Reuse before buy before build.</p>
</blockquote>
<p>I think that's great.</p>
<p>If there is existing software that you or another department has developed or have already licensed, or there is open source software available use that first.</p>
<p>Only if reuse is not possible, then look at buying an off the shelf solution.</p>
<p>Finally, if there is no existing open source solution and no off the shelf solution, then develop a new solution.</p>Installing software from the Arch User Repository2017-08-03T07:00:00+08:002017-08-03T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-08-03:/installing-software-from-the-arch-user-repository.html<p>This is another <a href="https://xo.tc/tag/note-to-self.html">note to self</a>, it is very simple and I've done this a few times before but every single time I need to go back to the <a href="https://wiki.archlinux.org/index.php/Arch_User_Repository">documentation</a>.</p>
<p>In this example I'll install <a href="http://glassechidna.com.au/heimdall/">heimdall</a> which is used for flashing new firmware onto samsung phones.</p>
<p>First go to <a href="https://aur.archlinux.org/">https …</a></p><p>This is another <a href="https://xo.tc/tag/note-to-self.html">note to self</a>, it is very simple and I've done this a few times before but every single time I need to go back to the <a href="https://wiki.archlinux.org/index.php/Arch_User_Repository">documentation</a>.</p>
<p>In this example I'll install <a href="http://glassechidna.com.au/heimdall/">heimdall</a> which is used for flashing new firmware onto samsung phones.</p>
<p>First go to <a href="https://aur.archlinux.org/">https://aur.archlinux.org/</a> and type the name of the package into the package search box.</p>
<p>This takes us to <a href="https://aur.archlinux.org/packages/heimdall-git">https://aur.archlinux.org/packages/heimdall-git</a> then copy the git clone url from the top. In my case I've got a folder setup for AUR installs because I like things to be organised but it's not necessary.</p>
<p>clone the repository, <code>cd</code> into it, then run <code>makepkg -si</code>. makepkg should not be run as root, when root permissions are needed you will be prompted for your password if you have sudo or the root password otherwise.</p>
<div class="highlight"><pre><span></span><code>git clone https://aur.archlinux.org/heimdall-git.git
cd heimdall-git
makepkg -si
</code></pre></div>
<p>and that's it. It really is very simple.</p>
<p>Then later to remove the package and it's dependancies you can run</p>
<div class="highlight"><pre><span></span><code>sudo pacman -Rs heimdall-git
</code></pre></div>
<p>You can also run <code>pacman -Qem</code> to get a list of manually installed packages which for most people will be just the packages they have installed from AUR.</p>Veeam backup errors after NAS hard drive failure2017-07-27T07:00:00+08:002017-07-27T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-07-27:/veeam-backup-errors-after-nas-hard-drive-failure.html<p>We have a setup at work where we have two Hyper-V servers in a failover cluster mounting a VHD on a NAS<sup id="fnref:on-a-nas"><a class="footnote-ref" href="#fn:on-a-nas">1</a></sup> as an iSCSI target running a number of VMs that get backed up by Veeam.</p>
<p>Recently we had a hard drive failure in the NAS. The NAS …</p><p>We have a setup at work where we have two Hyper-V servers in a failover cluster mounting a VHD on a NAS<sup id="fnref:on-a-nas"><a class="footnote-ref" href="#fn:on-a-nas">1</a></sup> as an iSCSI target running a number of VMs that get backed up by Veeam.</p>
<p>Recently we had a hard drive failure in the NAS. The NAS had RAID 5 with a hot spare<sup id="fnref:hot-spare"><a class="footnote-ref" href="#fn:hot-spare">2</a></sup> so no problem, in this case, the drive died on a Friday so I shut the server down on the weekend, popped a new drive in and rebuilt the array offline.</p>
<p>All looked good, the RAID controller said all drives were OK and the servers started back up fine, but the next night the Veeam backups failed with the error message.</p>
<div class="highlight"><pre><span></span><code><span class="mi">2017</span><span class="o">-</span><span class="mi">07</span><span class="o">-</span><span class="mi">23</span> <span class="mi">9</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">59</span> <span class="n">PM</span> <span class="p">::</span> <span class="n">Processing</span> <span class="n">HWFS1</span> <span class="n">Error</span><span class="p">:</span> <span class="n">Incorrect</span> <span class="n">function</span><span class="o">.</span>
<span class="n">Failed</span> <span class="n">to</span> <span class="n">read</span> <span class="n">data</span> <span class="n">from</span> <span class="n">the</span> <span class="n">file</span> <span class="p">[</span>\\<span class="err">?</span>\<span class="n">GLOBALROOT</span>\<span class="n">Device</span>\<span class="n">CSV</span><span class="p">{</span><span class="mi">8144</span><span class="n">a28c</span><span class="o">-</span><span class="mi">459</span><span class="n">c</span><span class="o">-</span><span class="mi">41</span><span class="n">a7</span><span class="o">-</span><span class="n">a274</span><span class="o">-</span><span class="n">b03ae6a3d493</span><span class="p">}</span>\<span class="n">HWFS1_D</span><span class="o">.</span><span class="n">vhd</span><span class="p">]</span><span class="o">.</span>
<span class="n">Failed</span> <span class="n">to</span> <span class="n">read</span> <span class="n">data</span> <span class="n">from</span> <span class="n">the</span> <span class="n">file</span> <span class="p">[</span>\\<span class="err">?</span>\<span class="n">GLOBALROOT</span>\<span class="n">Device</span>\<span class="n">CSV</span><span class="p">{</span><span class="mi">8144</span><span class="n">a28c</span><span class="o">-</span><span class="mi">459</span><span class="n">c</span><span class="o">-</span><span class="mi">41</span><span class="n">a7</span><span class="o">-</span><span class="n">a274</span><span class="o">-</span><span class="n">b03ae6a3d493</span><span class="p">}</span>\<span class="n">HWFS1_D</span><span class="o">.</span><span class="n">vhd</span><span class="p">]</span><span class="o">.</span>
<span class="n">Failed</span> <span class="n">to</span> <span class="n">upload</span> <span class="n">disk</span><span class="o">.</span>
<span class="n">Agent</span> <span class="n">failed</span> <span class="n">to</span> <span class="n">process</span> <span class="n">method</span> <span class="p">{</span><span class="n">DataTransfer</span><span class="o">.</span><span class="n">SyncDisk</span><span class="p">}</span><span class="o">.</span>
<span class="n">Exception</span> <span class="n">from</span> <span class="n">server</span><span class="p">:</span> <span class="n">Incorrect</span> <span class="n">function</span><span class="o">.</span>
<span class="n">Failed</span> <span class="n">to</span> <span class="n">read</span> <span class="n">data</span> <span class="n">from</span> <span class="n">the</span> <span class="n">file</span> <span class="p">[</span>\\<span class="err">?</span>\<span class="n">GLOBALROOT</span>\<span class="n">Device</span>\<span class="n">CSV</span><span class="p">{</span><span class="mi">8144</span><span class="n">a28c</span><span class="o">-</span><span class="mi">459</span><span class="n">c</span><span class="o">-</span><span class="mi">41</span><span class="n">a7</span><span class="o">-</span><span class="n">a274</span><span class="o">-</span><span class="n">b03ae6a3d493</span><span class="p">}</span>\<span class="n">HWFS1_D</span><span class="o">.</span><span class="n">vhd</span><span class="p">]</span><span class="o">.</span>
</code></pre></div>
<p>After some digging, I found events in the event view on the NAS that said.</p>
<div class="highlight"><pre><span></span><code>Logical drive 2 configured on array controller P212 located in server slot 3 returned a fatal error during a read/write request from/to the volume.
Logical block address 4123043672, block count 8 and command 32 were taken from the failed logical I/O request.
Array controller P212 located in server slot 3 is also reporting that the last physical drive to report a fatal error condition (associated with this logical request), is located on bus 0 and ID 11.
</code></pre></div>
<p>So I ran <code>chkdsk /f e:</code> on the server and it said</p>
<div class="highlight"><pre><span></span><code>Windows has checked the file system and found no problems.
</code></pre></div>
<p>But I was still seeing the error messages in event viewer. Then I tried <code>chkdsk /r e:</code> which took several hours but eventually came back and reported that it had found and repaired (moved) several unreadable sectors.</p>
<p>So even when every thing seems ok, and chkdsk reports no errors if you get a <code>Failed to read data from the file</code> message from Veeam it could be bad sectors on the underlying disk.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:on-a-nas">
<p>This is not a good design for a number of reasons, we are migrating away from it, but that's a blog post for another time. <a class="footnote-backref" href="#fnref:on-a-nas" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:hot-spare">
<p>Also not great design. <a class="footnote-backref" href="#fnref:hot-spare" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>A morbidly fascinating look at Australian causes of death2017-07-20T07:00:00+08:002017-07-20T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-07-20:/a-morbidly-fascinating-look-at-australian-causes-of-death.html<p>Recently a discussion came up on the <a href="https://www.itpa.org.au/">ITPA</a> discourse, where the Australian Federal Government is trying to get backdoor<sup id="fnref:backdoor"><a class="footnote-ref" href="#fn:backdoor">1</a></sup> access to the content of encrypted messaging apps.</p>
<p>This included a great quote<sup id="fnref:quote"><a class="footnote-ref" href="#fn:quote">2</a></sup> from our esteemed leader Malcolm Turnbull:</p>
<blockquote>
<p>"The laws of mathematics are very commendable but the only …</p></blockquote><p>Recently a discussion came up on the <a href="https://www.itpa.org.au/">ITPA</a> discourse, where the Australian Federal Government is trying to get backdoor<sup id="fnref:backdoor"><a class="footnote-ref" href="#fn:backdoor">1</a></sup> access to the content of encrypted messaging apps.</p>
<p>This included a great quote<sup id="fnref:quote"><a class="footnote-ref" href="#fn:quote">2</a></sup> from our esteemed leader Malcolm Turnbull:</p>
<blockquote>
<p>"The laws of mathematics are very commendable but the only laws that apply in Australia is the law of Australia."</p>
</blockquote>
<p>Patrick Gray has a <a href="https://risky.biz/bannedmath/">great write-up</a> where he suggests that what the Government are really after is a way to compel companies like Apple and Google to push a rogue update to targeted handsets that will allow law enforcement access to the decrypted communications on the device itself.</p>
<p>Inevitably the question of whether all the recent anti-terror legislation passed by the Australian Federal Government was saving lives, and how many people had been killed by terrorism with one member stating more people had been killed by knives than by terrorism.</p>
<blockquote>
<p>yet we don't see the government trying to ban knives, or legislating that only blunt knives can be sold.</p>
</blockquote>
<p>While I completely agree with the above, I thought it would be interesting to look through some hard data<sup id="fnref:hard-data"><a class="footnote-ref" href="#fn:hard-data">3</a></sup>.</p>
<p>I went to the Australian Bureau Statistics website where they publish ten years worth of <a href="http://www.abs.gov.au/Causes-of-Death">cause of death data</a> in Australia. I downloaded the <a href="http://www.abs.gov.au/AUSSTATS/subscriber.nsf/log?openagent&3303_1%20underlying%20causes%20of%20death%20%28australia%29.xls&3303.0&Data%20Cubes&A601587C5EA0E34FCA25803B0017FA62&0&2015&28.09.2016&Latest">Underlying cause of death, All causes, Australia</a> spread sheet and started reading through.</p>
<p>Unsurprisingly ABS doesn't list "terrorism" as a cause of death, I suspect any terrorism related deaths would be under "CHAPTER XX External causes of morbidity and mortality (V01-Y98)", then under "Other external causes of mortality (X60-Y36)", then "Assault (X85-Y09)" and finally under whichever specific heading was relevant. For example "Assault by explosive material (X96)" or "Assault by rifle, shotgun and larger firearm discharge (X94)".</p>
<p>Because I was unable to work out which deaths were from terrorism in the ABS statistics, I then found a fairly well sourced <a href="https://en.wikipedia.org/wiki/Terrorism_in_Australia">Wikipedia article</a> from which we get the following table</p>
<table>
<thead>
<tr>
<th align="right">Year</th>
<th align="right">Number of incidents<sup id="fnref:incidents"><a class="footnote-ref" href="#fn:incidents">4</a></sup></th>
<th align="right">Deaths</th>
<th align="right">Injuries</th>
</tr>
</thead>
<tbody>
<tr>
<td align="right">2006</td>
<td align="right">2</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2007</td>
<td align="right">0</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2008</td>
<td align="right">3</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2009</td>
<td align="right">1</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2010</td>
<td align="right">1</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2011</td>
<td align="right">0</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2012</td>
<td align="right">0</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2013</td>
<td align="right">1</td>
<td align="right">0</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right">2014</td>
<td align="right">8</td>
<td align="right">4</td>
<td align="right">7</td>
</tr>
<tr>
<td align="right">2015</td>
<td align="right">7</td>
<td align="right">2</td>
<td align="right">0</td>
</tr>
<tr>
<td align="right"><strong>Total</strong></td>
<td align="right"><strong>23</strong></td>
<td align="right"><strong>6</strong></td>
<td align="right"><strong>7</strong></td>
</tr>
</tbody>
</table>
<p>Which gives us 6 deaths over the same 10 year period as the ABS statistics. Of the 1,454,112 deaths in that period that's about 0.0004% were from terrorism, it slips in just behind "Other disorders of penis (N48)" killing 7 people and "Inflammatory disorders of male genital organs, not elsewhere classified (N49)" taking the lives of 64 men between 2006 and 2015.</p>
<p>Terrorism absolutely pales in comparison to our top category<sup id="fnref:category"><a class="footnote-ref" href="#fn:category">5</a></sup> "CHAPTER IX Diseases of the circulatory system (I00-I99)" with a whopping 31.4% totaling 456,956 deaths over ten years.</p>
<p>Not all, but many deaths from diseases of the circulatory system are preventable. Tens of thousands of lives, maybe even hundreds of thousands of lives over that same ten year period could have been saved with greater investment in Health Promotion<sup id="fnref:health-promtion"><a class="footnote-ref" href="#fn:health-promtion">6</a></sup> and tougher laws<sup id="fnref:tougher-laws"><a class="footnote-ref" href="#fn:tougher-laws">7</a></sup> on tobacco, alcohol and fastfood. </p>
<div class="footnote">
<hr>
<ol>
<li id="fn:backdoor">
<p>They say they "don't want a backdoor", what they want is something different, and then proceed to describe <a href="http://www.abc.net.au/news/8709654">a system</a> that by any reasonable definition is a backdoor. <a class="footnote-backref" href="#fnref:backdoor" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:quote">
<p>In fairness to Malcolm, if you followed me around with a camera all day and made me do several press conferences on a number of different subjects, you wouldn't have to wait long for me to say something gobsmackingly stupid too. <a class="footnote-backref" href="#fnref:quote" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:hard-data">
<p>I fully admit that I went into this with a theory and was simply looking for data to back up what I already believed. So while this data is accurate, I didn't put much effort into looking for data which refuted my world view, you can take this with a grain of salt if you like. <a class="footnote-backref" href="#fnref:hard-data" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:incidents">
<p>Of course there is the question of when does something change from simply crime to terrorism? When does a boat become a ship? How long is a piece of string? but I'm happy to go with whats in the Wikipedia article. <a class="footnote-backref" href="#fnref:incidents" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
<li id="fn:category">
<p>I know that "Diseases of the circulatory system" is a whole broad category of causes rather than a single cause, but I would say that "Terrorism" is a whole category too, it's not broken down into individual causes so it's a fair comparison. <a class="footnote-backref" href="#fnref:category" title="Jump back to footnote 5 in the text">↩</a></p>
</li>
<li id="fn:health-promtion">
<p>Full disclosure, I work for The West Australian Health Promotion Foundation. Also in case any readers lack common sense, <em>My views</em> that <em>I express</em> on <em>my personal blog</em> are my own, and not those of my employer. <a class="footnote-backref" href="#fnref:health-promtion" title="Jump back to footnote 6 in the text">↩</a></p>
</li>
<li id="fn:tougher-laws">
<p>To be clear here, when I say "tougher laws" I don't support prohibition. If informed adults want to put something into their own body that's up to them. I'm talking about things like <a href="https://en.wikipedia.org/wiki/Plain_tobacco_packaging">plain packaging</a>, health warnings, advertising restrictions and higher taxes. The devil is in the details but I support the idea of a <a href="https://greens.org.au/sugar-tax">sugar tax</a> for example. <a class="footnote-backref" href="#fnref:tougher-laws" title="Jump back to footnote 7 in the text">↩</a></p>
</li>
</ol>
</div>Crashplan no longer offer restore to door service2017-07-13T07:00:00+08:002017-07-13T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-07-13:/crashplan-no-longer-offer-restore-to-door-service.html<p>A while ago I got an email from someone who was Googling for <code>rsync crashplan</code> and stumbled upon a previous blog post about <a href="https://xo.tc/backing-up-a-remote-server-with-rsync.html">backing up servers with rsync</a> then using Crashplan to backup those files.</p>
<p>They were desperately looking for some kind of rsync-like solution to restore a lot of …</p><p>A while ago I got an email from someone who was Googling for <code>rsync crashplan</code> and stumbled upon a previous blog post about <a href="https://xo.tc/backing-up-a-remote-server-with-rsync.html">backing up servers with rsync</a> then using Crashplan to backup those files.</p>
<p>They were desperately looking for some kind of rsync-like solution to restore a lot of data from Crashplan over a bad connection.</p>
<p>My initial thoughts were that Crashplan had a service where they would send you your backups on a hard disk. The old "never underestimate the bandwidth of a station wagon full of tapes" sort of thing.</p>
<p>But after a bit of searching, I found that their <a href="https://helpdesk.code42.com/hc/en-us/articles/114094194433-CrashPlan-for-Home-Restore-to-Door-Service-to-be-Discontinued-Jan-4-2016">Restore-to-Door</a> service was discontinued in early 2016. I was frustrated that I was unable to help the person who had contacted me, but also a little worried that I might end up in the exact same situation.</p>
<p>At the moment I've got a Family license for Crahsplan which for $165 AUD a year covers up to 10 computers. I've got it installed on my several of my computers as well as my mums, uncles, and fiancée. Some of those computers have over 300GB of stuff on them and to download all of that again over the dodgy ADSL we get in Perth would take the better part of a month.</p>
<p>I'm not sure what I'm going to do, but I am seriously considering finding somewhere locally to host my own Crashplan server, that I can get physical access to and not paying for Crashplan's cloud offerings anymore.</p>Sleazy marketing2017-07-06T07:00:00+08:002017-07-06T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-07-06:/sleazy-marketing.html<p>I was recently looking at a number of application whitelisting solutions and one of the ones I was looking at was <a href="https://en.wikipedia.org/wiki/Carbon_Black_%28company%29">Carbon Black</a>. I spent quite a bit of time on their website trying to see if they actually published any solid, useful, technical documentation about what it is they …</p><p>I was recently looking at a number of application whitelisting solutions and one of the ones I was looking at was <a href="https://en.wikipedia.org/wiki/Carbon_Black_%28company%29">Carbon Black</a>. I spent quite a bit of time on their website trying to see if they actually published any solid, useful, technical documentation about what it is they actually do beyond their tagline "Stop the Most Attacks. See Every Threat. Compromise Nothing."</p>
<p>A few days later I got a call from a sales person from Carbon Black saying that they saw I was interested in their product.</p>
<p>I assume they have some algorithm on their website analytics that does a lookup on any IP address that spends more than a set amount of time on their site (I was there for about 10 minutes). If you do a PTR lookup on our gateway IP address or throw it into any Geo IP database like <a href="http://ipinfo.io">ipinfo</a> our organisation comes up. From there it's not hard to Google us, call reception and ask for whoever manages IT Security.</p>
<p>I browse the web with <a href="http://donottrack.us/">Do Not Track</a> switched on, I understand that it's voluntary and websites can just ignore that flag. But tracking me shows a complete lack of respect for users privacy wishes and doesn't inspire me to install their products on all of the desktops I manage.</p>
<p>Bruce Schneier blogged about something similar recently where websites were <a href="https://www.schneier.com/blog/archives/2017/06/websites_grabbi.html">grabbing user form data before it's submitted</a>. He says</p>
<blockquote>
<p>"This is important because it goes against what people expect"</p>
</blockquote>
<p>Just like using javascript to grab from data, tracking users is not that technically difficult but it's not what people expect. Browsing someone's website is not the same as filling in the contact us form and you don't expect to get a call from one of their marketing people.</p>Setting Up Full Disk Encryption on Debian 9 Stretch2017-06-29T07:00:00+08:002017-06-29T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-06-29:/setting-up-full-disk-encryption-on-debian-9-stretch.html<p>Previously I did a tutorial on Installing <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html">Debian 8 Jessie</a> with full disk encryption, in that tutorial I went into a lot of detail about manually partitioning the disks. If for some reason you want to manually partition your disks I would reccomend that tutorial, it will still work for …</p><p>Previously I did a tutorial on Installing <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html">Debian 8 Jessie</a> with full disk encryption, in that tutorial I went into a lot of detail about manually partitioning the disks. If for some reason you want to manually partition your disks I would reccomend that tutorial, it will still work for Debian 9 Stretch.</p>
<p>However this tutorial is much more simplified I've used the grapical installer and gone with "Guided - use entire disk and set up encrypted LVM".</p>
<p>As I've mentioned in all my tutorials on <a href="https://xo.tc/full-disk-encryption-on-linux.html">Full Disk Encryption</a> I say "Full" disk encryption but that's not entirely correct there is still a small partition <code>/boot</code> that's unencrypted. That contains your kernel, grub config and initrd and needs to be unencrypted so we can start booting and decrypt the rest of the OS.</p>
<p>So let's get started</p>
<h2>Installing</h2>
<p>Boot up your CD, USB flash drive, ISO file or install media of choice and select Graphical install.</p>
<p><img alt="CD Boot" src="https://xo.tc/images/debian-stretch-01-cd-boot.png"></p>
<p>Select your language.</p>
<p><img alt="Select a language" src="https://xo.tc/images/debian-stretch-02-select-a-language.png"></p>
<p>Select your location.</p>
<p><img alt="Select a location" src="https://xo.tc/images/debian-stretch-03-select-your-location.png"></p>
<p>Set your keyboard layout.</p>
<p><img alt="Configure the Keyboard" src="https://xo.tc/images/debian-stretch-04-configure-the-keyboard.png"></p>
<p>Pick a <a href="https://xkcd.com/910/">name</a> for your computer.</p>
<p><img alt="Configure the network" src="https://xo.tc/images/debian-stretch-05-configure-the-network.png"></p>
<p>Set your local domain.</p>
<p><img alt="Configure the network" src="https://xo.tc/images/debian-stretch-06-configure-the-network.png"></p>
<p>I personally leave the root password blank, this disables the root account and instead sets you up with a first user that can run <code>sudo</code> to become root.</p>
<p><img alt="set up users and passwords" src="https://xo.tc/images/debian-stretch-07-set-up-users-and-passwords.png"></p>
<p>Enter your full name.</p>
<p><img alt="set up users and passwords" src="https://xo.tc/images/debian-stretch-08-set-up-users-and-passwords.png"></p>
<p>Pick your username (the default is usually pretty good).</p>
<p><img alt="set up users and passwords" src="https://xo.tc/images/debian-stretch-09-set-up-users-and-passwords.png"></p>
<p>Set your password.</p>
<p><img alt="set up users and passwords" src="https://xo.tc/images/debian-stretch-10-set-up-users-and-passwords.png"></p>
<p>Set your timezone.</p>
<p><img alt="Configure the clock" src="https://xo.tc/images/debian-stretch-11-configure-the-clock.png"></p>
<h2>The encryption</h2>
<p>This is where the magic happens, actually it's quite simple, we are going to pick "Guided - use entire disk and set up encrypted LVM" and then just go with the defaults. As I said before if for some reason you want to manually partition your disks I would reccomend a previous <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html">tutorial</a>.</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-12-partition-disks.png"></p>
<p>Select the volume to install Debian. (This will wipe whatever you have on that disk!!)</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-13-partition-disks.png"></p>
<p>Pick "All files in one partition (recommended for new users)".</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-14-partition-disks.png"></p>
<p>Pick 'Yes' to write the changes to the disks.</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-15-partition-disks.png"></p>
<p>Now the disk will be writen with random data, this is to prevent analysis of the disk. This step can be skipped by pressing cancle but it's highly reccomend you wait it out. It could take several minutes to a few hours so now is an absolutely smashing time to go and have a cup of tea.</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-16-partition-disks.png"></p>
<p>Now set a passphrase for your disk.</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-17-partition-disks.png"></p>
<p>Select "Finish partitioning and write changes to disk"</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-18-partition-disks.png"></p>
<p>Pick 'Yes' to write the changes to the disks.</p>
<p><img alt="Partition disks" src="https://xo.tc/images/debian-stretch-19-partition-disks.png"></p>
<h2>Continue the installation</h2>
<p>Now we continue the installation as per normal.</p>
<p>Pick 'No' for any extra CDs.</p>
<p><img alt="configure the package manager" src="https://xo.tc/images/debian-stretch-20-configure-the-package-manager.png"></p>
<p>Pick your country to find a local mirror .</p>
<p><img alt="configure the package manager" src="https://xo.tc/images/debian-stretch-21-configure-the-package-manager.png"></p>
<p>And pick your mirror of choice, often (at least in Australia) you will find your local ISP has a mirror and this will likely be fastest for you.</p>
<p><img alt="configure the package manager" src="https://xo.tc/images/debian-stretch-22-configure-the-package-manager.png"></p>
<p>Enter any proxy information (most times this will be blank)</p>
<p><img alt="configure the package manager" src="https://xo.tc/images/debian-stretch-23-configure-the-package-manager.png"></p>
<p>You are given the option to opt-in to Debian's <a href="http://popcon.debian.org/">statistics</a> collection.</p>
<p><img alt="Configure the popularity contest" src="https://xo.tc/images/debian-stretch-24-configure-the-popularity-contest.png"></p>
<p>Pick your software, I've gone with KDE as my desktop of choice but it's a matter of personal taste.</p>
<p><img alt="Debian Software Selection" src="https://xo.tc/images/debian-stretch-25-software-selection.png"></p>
<p>Install GRUB</p>
<p><img alt="Install the grub boot loader on a hard disk" src="https://xo.tc/images/debian-stretch-26-install-the-grub-boot-loader-on-a-hard-disk.png"></p>
<p>Pick your boot disk.</p>
<p><img alt="Install the grub boot loader on a hard disk" src="https://xo.tc/images/debian-stretch-27-install-the-grub-boot-loader-on-a-hard-disk.png"></p>
<p>and finish the installation.</p>
<p><img alt="Finish the installation" src="https://xo.tc/images/debian-stretch-28-finish-the-installation.png"></p>
<h2>Boot your system</h2>
<p>Now when you boot up you should presented with a prompt asking for the key to decrypt sda5_crypt (your encrypted volumne)</p>
<p>Enter your passphrase (<strong>Note:</strong> you won't see characters as you type)</p>
<p><img alt="Finish the installation" src="https://xo.tc/images/debian-stretch-29-decrypt-the-disk.png"></p>
<p>Now you can log in and enjoy your new Debian system</p>
<p><img alt="Finish the installation" src="https://xo.tc/images/debian-stretch-30-log-in.png"></p>
<p><img alt="Finish the installation" src="https://xo.tc/images/debian-stretch-31-running.png"></p>Installing OpenCanary on a Raspberry Pi2017-06-22T07:00:00+08:002017-06-22T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-06-22:/installing-opencanary-on-a-raspberry-pi.html<p>A few recent <a href="http://risky.biz/">Risky Business</a> podcasts have been sponsored by Thinkst and they have been plugging their <a href="https://canary.tools/">Canary tools</a>. Basically, little honeypots that sit on your network and sends an alert when something tries to access them. To me, the idea sounded pretty cool but when I looked at their …</p><p>A few recent <a href="http://risky.biz/">Risky Business</a> podcasts have been sponsored by Thinkst and they have been plugging their <a href="https://canary.tools/">Canary tools</a>. Basically, little honeypots that sit on your network and sends an alert when something tries to access them. To me, the idea sounded pretty cool but when I looked at their <a href="https://canary.tools/#pricing">pricing</a> it said</p>
<blockquote>
<p>For under $10k, you get 5 Canaries, a dedicated console, and 5 licences for alerts, support and maintenance. </p>
</blockquote>
<p>While for some organisations $10,000<sup id="fnref:ten-thousand"><a class="footnote-ref" href="#fn:ten-thousand">1</a></sup> might be chicken feed for me that's prohibitively expensive. So I looked around for open source alternatives and was surprised to find that Thinkst have released <a href="https://github.com/thinkst/opencanary">OpenCanary</a>. It doesn't seem to be getting a whole lot of love with only a few commits in over a year at the time of this writing but I did have a spare Raspberry Pi and it's open source so if something is missing I can make a pull request.</p>
<h2>Grab a Raspberry Pi and Install Raspbian</h2>
<p>Download the <a href="https://www.raspberrypi.org/downloads/raspbian/">Raspbian Jessie Lite</a> image and SSH in. There are already hundreds of tutorials so I'm going to skip this step and just assume you have a fresh Raspbian install that you can SSH into.</p>
<p>If you haven't already, update all your packages.</p>
<div class="highlight"><pre><span></span><code>sudo apt-get update && sudo apt-get dist-upgrade
</code></pre></div>
<h2>Install the prerequisites</h2>
<p>Install the packages needed to build OpenCanary.</p>
<div class="highlight"><pre><span></span><code>sudo apt-get install git python-virtualenv python-pip python-dev libssl-dev libffi-dev
</code></pre></div>
<h2>Install a virtual environment</h2>
<p>It's recommended that you run OpenCanary in a virtual environment. It makes managing libraries easier but if the only thing your going to run on the Raspberry Pi is OpenCanary it's not strictly necessary.</p>
<div class="highlight"><pre><span></span><code>virtualenv -p python2 canary-env
source ./canary-env/bin/activate
</code></pre></div>
<p>The versions of pip and setuptools that come with Debian's virtualenv are a little out dated and need to be upgraded for OpenCanary</p>
<div class="highlight"><pre><span></span><code><span class="n">pip</span> <span class="n">install</span> <span class="o">--</span><span class="n">upgrade</span> <span class="n">pip</span> <span class="n">setuptools</span>
</code></pre></div>
<h2>Clone the git repository</h2>
<div class="highlight"><pre><span></span><code>git clone https://github.com/thinkst/opencanary
<span class="nb">cd</span> opencanary
</code></pre></div>
<h2>Install OpenCanary</h2>
<div class="highlight"><pre><span></span><code>python setup.py install
</code></pre></div>
<p>I got some build errors with Jinja2 but it's a <a href="https://github.com/pallets/jinja/issues/643">known issue</a> and does not impact OpenCanary.</p>
<p>Also building cryptography and the other dependencies took about 10 minutes on my Raspberry Pi so now is an absolutely smashing time to go and have a cup of tea.</p>
<h2>Setup config and start OpenCanary</h2>
<p>OpenCanary does have a <code>--copyconfig</code> option which creates a config file in your home directory, however, I found that sometimes OpenCanary misses the config file in the home directory. I tried debugging it but in the end found it more reliable (and logical) to save the config to <code>/etc/opencanaryd/opencanary.conf</code></p>
<div class="highlight"><pre><span></span><code>sudo mkdir /etc/opencanaryd
sudo cp opencanary/data/settings.json /etc/opencanaryd/opencanary.conf
</code></pre></div>
<p>For some reason when I installed OpenCanary the <code>opencanary.tac</code> file did not copy across correctly and I kept getting an error</p>
<blockquote>
<div class="highlight"><pre><span></span><code><span class="n">Unhandled</span> <span class="n">Error</span>
<span class="n">Traceback</span> <span class="p">(</span><span class="n">most</span> <span class="n">recent</span> <span class="n">call</span> <span class="n">last</span><span class="p">):</span>
<span class="n">File</span> <span class="s2">"/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">642</span><span class="p">,</span> <span class="ow">in</span> <span class="n">run</span>
<span class="n">runApp</span><span class="p">(</span><span class="n">config</span><span class="p">)</span>
<span class="n">File</span> <span class="s2">"/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/scripts/twistd.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">23</span><span class="p">,</span> <span class="ow">in</span> <span class="n">runApp</span>
<span class="n">_SomeApplicationRunner</span><span class="p">(</span><span class="n">config</span><span class="p">)</span><span class="o">.</span><span class="n">run</span><span class="p">()</span>
<span class="n">File</span> <span class="s2">"/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">376</span><span class="p">,</span> <span class="ow">in</span> <span class="n">run</span>
<span class="bp">self</span><span class="o">.</span><span class="n">application</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">createOrGetApplication</span><span class="p">()</span>
<span class="n">File</span> <span class="s2">"/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">441</span><span class="p">,</span> <span class="ow">in</span> <span class="n">createOrGetApplication</span>
<span class="n">application</span> <span class="o">=</span> <span class="n">getApplication</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">config</span><span class="p">,</span> <span class="n">passphrase</span><span class="p">)</span>
<span class="o">---</span> <span class="o"><</span><span class="n">exception</span> <span class="n">caught</span> <span class="n">here</span><span class="o">></span> <span class="o">---</span>
<span class="n">File</span> <span class="s2">"/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">452</span><span class="p">,</span> <span class="ow">in</span> <span class="n">getApplication</span>
<span class="n">application</span> <span class="o">=</span> <span class="n">service</span><span class="o">.</span><span class="n">loadApplication</span><span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="n">style</span><span class="p">,</span> <span class="n">passphrase</span><span class="p">)</span>
<span class="n">File</span> <span class="s2">"/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/service.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">405</span><span class="p">,</span> <span class="ow">in</span> <span class="n">loadApplication</span>
<span class="n">application</span> <span class="o">=</span> <span class="n">sob</span><span class="o">.</span><span class="n">loadValueFromFile</span><span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="s1">'application'</span><span class="p">,</span> <span class="n">passphrase</span><span class="p">)</span>
<span class="n">File</span> <span class="s2">"/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/persisted/sob.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">210</span><span class="p">,</span> <span class="ow">in</span> <span class="n">loadValueFromFile</span>
<span class="n">exec</span> <span class="n">fileObj</span> <span class="ow">in</span> <span class="n">d</span><span class="p">,</span> <span class="n">d</span>
<span class="n">File</span> <span class="s2">"/usr/local/bin/opencanary.tac"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">4</span><span class="p">,</span> <span class="ow">in</span> <span class="o"><</span><span class="n">module</span><span class="o">></span>
<span class="n">__import__</span><span class="p">(</span><span class="s1">'pkg_resources'</span><span class="p">)</span><span class="o">.</span><span class="n">run_script</span><span class="p">(</span><span class="s1">'opencanary==0.3.2'</span><span class="p">,</span> <span class="s1">'opencanary.tac'</span><span class="p">)</span>
<span class="n">File</span> <span class="s2">"/usr/lib/python2.7/dist-packages/pkg_resources.py"</span><span class="p">,</span> <span class="n">line</span> <span class="mi">531</span><span class="p">,</span> <span class="ow">in</span> <span class="n">run_script</span>
<span class="n">name</span> <span class="o">=</span> <span class="n">ns</span><span class="p">[</span><span class="s1">'__name__'</span><span class="p">]</span>
<span class="n">exceptions</span><span class="o">.</span><span class="n">KeyError</span><span class="p">:</span> <span class="s1">'__name__'</span>
<span class="n">Failed</span> <span class="n">to</span> <span class="nb">load</span> <span class="n">application</span><span class="p">:</span> <span class="s1">'__name__'</span>
</code></pre></div>
</blockquote>
<p>I needed to copy the tac file manually.</p>
<div class="highlight"><pre><span></span><code>cp bin/opencanary.tac /home/pi/canary-env/bin/opencanary.tac
</code></pre></div>
<p>I also found the default Raspbian image has the NTP service running and so port 123 was already in use. I chose to disable the NTP module in OpenCanary</p>
<div class="highlight"><pre><span></span><code>sudo nano /etc/opencanaryd/opencanary.conf
</code></pre></div>
<blockquote>
<p><code>"ntp.enabled": false,</code></p>
</blockquote>
<p>Alternatively, you could leave the NTP module enabled and disable the service on the Raspberry Pi</p>
<div class="highlight"><pre><span></span><code>sudo systemctl stop ntp.service
sudo systemctl disable ntp.service
</code></pre></div>
<h2>Start OpenCanaryd</h2>
<p>As a bit of a "Hello World!" start opencanaryd in developer mode so it runs process in the foreground to check it's all working</p>
<div class="highlight"><pre><span></span><code>opencanaryd --dev
</code></pre></div>
<p>Hopefully, you will see a message that contains <code>Canary running!!!</code> although you will probably also see a number of <code>Dropping log message due to too many failed sends</code> messages as well. This is because opencanaryd trying to send messages to <a href="https://github.com/thinkst/opencanary-correlator">opencanary-correlator</a> but we don't have that setup yet.</p>
<p>At this point you can have a play with your canary, try to nmap it or telet to it and see the output.</p>
<p>Once you have had some fun Ctrl + C out to close opencanaryd</p>
<h2>Setup Email Alerts</h2>
<p>Apparently, it's possible to have your canary log directly to <a href="http://docs.opencanary.org/en/latest/alerts/email.html">email</a> but when I tried I couldn't get it to work.</p>
<p>I looked at opencanary-correlator, but it uses <a href="https://www.mandrill.com/">mandrill</a> for mail and that's now a paid MailChimp add-on which I didn't want to use.</p>
<p>In the end, I found it quicker and easier to write a <a href="https://github.com/HybridAU/canary_log_forwarder/blob/master/canary_log_forwarder.py">simple python script</a> to work like correlator and forward all alerts to an email address.</p>
<div class="highlight"><pre><span></span><code>sudo nano canary_log_forwarder.py
</code></pre></div>
<p>Add your email addresses and SMTP server into the script and save it.</p>
<div class="highlight"><pre><span></span><code><span class="sd">"""</span>
<span class="sd">Forwards logs from OpenCanary that come in on port 1514 to an email address.</span>
<span class="sd">This is a very simple script, it does no validation on the logs, it just</span>
<span class="sd">forwards everything that comes in.</span>
<span class="sd">"""</span>
<span class="kn">import</span> <span class="nn">smtplib</span>
<span class="kn">from</span> <span class="nn">email.mime.text</span> <span class="kn">import</span> <span class="n">MIMEText</span>
<span class="kn">from</span> <span class="nn">email.mime.multipart</span> <span class="kn">import</span> <span class="n">MIMEMultipart</span>
<span class="kn">from</span> <span class="nn">twisted.internet</span> <span class="kn">import</span> <span class="n">protocol</span><span class="p">,</span> <span class="n">reactor</span>
<span class="c1"># Settings</span>
<span class="n">FROM_ADDRESS</span> <span class="o">=</span> <span class="s1">'opencanary@example.com'</span>
<span class="n">TO_ADDRESS</span> <span class="o">=</span> <span class="s1">'security@example.com'</span>
<span class="n">SMTP_SERVER</span> <span class="o">=</span> <span class="s1">'mail.example.com'</span>
<span class="c1"># Saving passwords in a file is not a great idea. If you do need to log in to</span>
<span class="c1"># your SMTP server, at the very least make sure this file is not world readable</span>
<span class="c1"># e.g. `chmod 700 canary_log_forwarder.py`</span>
<span class="n">SMTP_USERNAME</span> <span class="o">=</span> <span class="kc">None</span>
<span class="n">SMTP_PASSWORD</span> <span class="o">=</span> <span class="kc">None</span>
<span class="k">class</span> <span class="nc">SendEmail</span><span class="p">(</span><span class="n">protocol</span><span class="o">.</span><span class="n">Protocol</span><span class="p">):</span>
<span class="k">def</span> <span class="nf">dataReceived</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span>
<span class="n">message</span> <span class="o">=</span> <span class="n">MIMEMultipart</span><span class="p">(</span><span class="s1">'alternative'</span><span class="p">)</span>
<span class="n">message_body</span> <span class="o">=</span> <span class="n">MIMEText</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="s2">"plain"</span><span class="p">,</span> <span class="s2">"utf-8"</span><span class="p">)</span>
<span class="n">message</span><span class="p">[</span><span class="s1">'Subject'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'Alert from OpenCanary'</span>
<span class="n">message</span><span class="p">[</span><span class="s1">'From'</span><span class="p">]</span> <span class="o">=</span> <span class="n">FROM_ADDRESS</span>
<span class="n">message</span><span class="p">[</span><span class="s1">'To'</span><span class="p">]</span> <span class="o">=</span> <span class="n">TO_ADDRESS</span>
<span class="n">message</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">message_body</span><span class="p">)</span>
<span class="n">server</span> <span class="o">=</span> <span class="n">smtplib</span><span class="o">.</span><span class="n">SMTP</span><span class="p">(</span><span class="n">SMTP_SERVER</span><span class="p">)</span>
<span class="n">server</span><span class="o">.</span><span class="n">ehlo</span><span class="p">()</span>
<span class="n">server</span><span class="o">.</span><span class="n">starttls</span><span class="p">()</span>
<span class="n">server</span><span class="o">.</span><span class="n">ehlo</span><span class="p">()</span>
<span class="c1"># Login if applicable</span>
<span class="k">if</span> <span class="n">SMTP_PASSWORD</span> <span class="ow">and</span> <span class="n">SMTP_PASSWORD</span><span class="p">:</span>
<span class="n">server</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="n">SMTP_USERNAME</span><span class="p">,</span> <span class="n">SMTP_PASSWORD</span><span class="p">)</span>
<span class="n">server</span><span class="o">.</span><span class="n">sendmail</span><span class="p">(</span><span class="n">FROM_ADDRESS</span><span class="p">,</span> <span class="p">[</span><span class="n">TO_ADDRESS</span><span class="p">],</span> <span class="n">message</span><span class="o">.</span><span class="n">as_string</span><span class="p">())</span>
<span class="n">server</span><span class="o">.</span><span class="n">quit</span><span class="p">()</span>
<span class="k">class</span> <span class="nc">EmailFactory</span><span class="p">(</span><span class="n">protocol</span><span class="o">.</span><span class="n">Factory</span><span class="p">):</span>
<span class="k">def</span> <span class="nf">buildProtocol</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span>
<span class="k">return</span> <span class="n">SendEmail</span><span class="p">()</span>
<span class="n">reactor</span><span class="o">.</span><span class="n">listenTCP</span><span class="p">(</span><span class="mi">1514</span><span class="p">,</span> <span class="n">EmailFactory</span><span class="p">(),</span> <span class="n">interface</span><span class="o">=</span><span class="s1">'localhost'</span><span class="p">)</span>
<span class="n">reactor</span><span class="o">.</span><span class="n">run</span><span class="p">()</span>
</code></pre></div>
<h2>Make it a service</h2>
<p>Now we have everything setup we want to make it run as a service and start automatically when we boot up the Raspberry Pi. So we will create two systemd <code>.service</code> files.</p>
<div class="highlight"><pre><span></span><code>sudo nano /etc/systemd/system/opencanary.service
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">OpenCanary honeypot</span>
<span class="na">After</span><span class="o">=</span><span class="s">syslog.target</span>
<span class="na">After</span><span class="o">=</span><span class="s">network.target</span>
<span class="k">[Service]</span>
<span class="na">User</span><span class="o">=</span><span class="s">pi</span>
<span class="na">Restart</span><span class="o">=</span><span class="s">always</span>
<span class="na">Environment</span><span class="o">=</span><span class="s">VIRTUAL_ENV=/home/pi/canary-env/</span>
<span class="na">Environment</span><span class="o">=</span><span class="s">PATH=$VIRTUAL_ENV/bin:/usr/bin:$PATH</span>
<span class="na">WorkingDirectory</span><span class="o">=</span><span class="s">/home/pi/canary-env/bin</span>
<span class="na">ExecStart</span><span class="o">=</span><span class="s">/home/pi/canary-env/bin/opencanaryd --dev</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">multi-user.target</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>sudo nano /etc/systemd/system/canary-log-forwarder.service
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">Canary log forwarder</span>
<span class="na">After</span><span class="o">=</span><span class="s">syslog.target</span>
<span class="na">After</span><span class="o">=</span><span class="s">network.target</span>
<span class="k">[Service]</span>
<span class="na">User</span><span class="o">=</span><span class="s">pi</span>
<span class="na">Restart</span><span class="o">=</span><span class="s">always</span>
<span class="na">Environment</span><span class="o">=</span><span class="s">VIRTUAL_ENV=/home/pi/canary-env/</span>
<span class="na">Environment</span><span class="o">=</span><span class="s">PATH=$VIRTUAL_ENV/bin:$PATH</span>
<span class="na">WorkingDirectory</span><span class="o">=</span><span class="s">/home/pi/canary-env/</span>
<span class="na">ExecStart</span><span class="o">=</span><span class="s">/home/pi/canary-env/bin/python /home/pi/opencanary/canary_log_forwarder.py</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">multi-user.target</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>sudo systemctl enable canary-log-forwarder.service opencanary.service
sudo systemctl start canary-log-forwarder.service opencanary.service
</code></pre></div>
<h1>Finshed</h1>
<p>Your canary should now be all set up and ready to run. </p>
<p>It's a good idea to reboot it just to make sure all the services start correctly.</p>
<div class="highlight"><pre><span></span><code>sudo reboot
</code></pre></div>
<p>You should get emailed when it boots up letting you know that all the services have started.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:ten-thousand">
<p>I know the website said "Under $10k" but they wouldn't phrase it like that if the price was $300. <a class="footnote-backref" href="#fnref:ten-thousand" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Why I like the MIT License2017-06-15T07:00:00+08:002017-06-15T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-06-15:/why-i-like-the-mit-license.html<p>Recently I've spent a little too much time thinking about open source licenses.</p>
<p>Whenever I start a new project I struggled to pick a license, there are dosens open source licenses that are all more or less the same. In fact worese than being the same many licenses that have …</p><p>Recently I've spent a little too much time thinking about open source licenses.</p>
<p>Whenever I start a new project I struggled to pick a license, there are dosens open source licenses that are all more or less the same. In fact worese than being the same many licenses that have the same goals are subtlety incompatible with one another.</p>
<p>Linus has <a href="https://www.youtube.com/watch?v=PaKIZ7gJlRU">expressed</a> why he likes GPLv2 and not GPLv3. Even within BSD license there are <a href="https://en.wikipedia.org/wiki/BSD_licenses">diffrent versions</a> which can be confusing.</p>
<p>The MIT license however is, short, simple, open, doesn't have lot's of diffrent variants and I was supprised to find it's the <a href="https://github.com/blog/1964-open-source-license-usage-on-github-com">most popular license</a> on GitHub so it's very well known.</p>ASD's Essential Eight2017-06-08T07:00:00+08:002017-06-08T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-06-08:/asds-essential-eight.html<p>I've long been a fan of the advice from the Australian Signals Directorate (ASD) [previously the Defence Signals Directorate (DSD)]. Not too long ago they changed their "Top 4" to their "<a href="https://asd.gov.au/publications/protect/essential-eight-explained.htm">Essential Eight</a>".</p>
<p>What I like about ASD's advice is that it's easy to read, in comparison ISO 27001:2013 …</p><p>I've long been a fan of the advice from the Australian Signals Directorate (ASD) [previously the Defence Signals Directorate (DSD)]. Not too long ago they changed their "Top 4" to their "<a href="https://asd.gov.au/publications/protect/essential-eight-explained.htm">Essential Eight</a>".</p>
<p>What I like about ASD's advice is that it's easy to read, in comparison ISO 27001:2013 might be full of great advice but even the name is indecipherable jargon to most people.</p>
<p>ASD's Essential Eight are simple to understand, and with the exception of Application whitelisting, they are relatively easy to implement. They are:</p>
<ul>
<li>Application whitelisting</li>
<li>Patch applications</li>
<li>Disable untrusted Microsoft Office macros</li>
<li>User application hardening (Uninstall shovelware)</li>
<li>Restrict administrative privileges</li>
<li>Patch operating systems</li>
<li>Multi-factor authentication</li>
<li>Daily backup of important data</li>
</ul>
<p>While it might be fun to install blinky-light boxes that run fancy machine learning algorithms and cost a fortune. ASD's Essential Eight are cheap, simple and effective and will definitely get you your best bang for your buck.</p>Designing for Failure2017-06-01T07:00:00+08:002017-06-01T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-06-01:/designing-for-failure.html<p>I recently purchased my grandfather's house which he built himself in the mid 1950s. My fiancé and I were painting the house and we came across a pipe sticking out of the wall just above the rain water tank.</p>
<p><img alt="Pipe above rain water tank" src="https://xo.tc/images/pipe-above-rain-water-tank.png"></p>
<p>Looking inside the roof we discoved that this pipe came from …</p><p>I recently purchased my grandfather's house which he built himself in the mid 1950s. My fiancé and I were painting the house and we came across a pipe sticking out of the wall just above the rain water tank.</p>
<p><img alt="Pipe above rain water tank" src="https://xo.tc/images/pipe-above-rain-water-tank.png"></p>
<p>Looking inside the roof we discoved that this pipe came from a large metal tray that was sitting underneath the hot water system. The manufacturers of the hot water system never intended for the tank to leak<sup id="fnref:leak"><a class="footnote-ref" href="#fn:leak">1</a></sup> but it's something my grand father clearly though about and designed for just incase.</p>
<p>Simiarly on the roof there is a copper pipe that looks a bit like a shepherd's crook that comes out of the hot water system.</p>
<p><img alt="Shepherd's crook pipe" src="https://xo.tc/images/shepherds-crook-pipe.png"></p>
<p>The idea is that if the tank somehow got overfilled and then the water got boiled and expanded, rather than the tank exploding with the pressure, the boiling water would be forced up the pipe and pour out on the roof. As far as I'm aware the tank has never been overfilled or over boiled, but it's good to have a contingency just incase.</p>
<p>In IT we are getting better at designing for failure, things like RAID or small office routers that now come with both DSL and a 4G modem so if the DSL dropps out it switches over.</p>
<p>In Information Security we have ideas like defence in depth and layered security. They are a good start but we need to keep working on them.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:leak">
<p>And to their credit the tank is older than I am and still going well. <a class="footnote-backref" href="#fnref:leak" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Fair use and copyright reform in Australia2017-05-25T07:00:00+08:002017-05-25T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-05-25:/fair-use-and-copyright-reform-in-australia.html<p>I've just finished listening to the audio book of Cory Doctorow's <a href="http://craphound.com/news/2014/12/10/information-doesnt-want-to-be-free-audiobook/">Information Doesn't Want to Be Free</a>. It's a fascinating read and I'd recommend it to anyone interested in copyright.</p>
<p>Admittedly some bits are a little repetitive but it really hammers home how broken the current copyright system is and …</p><p>I've just finished listening to the audio book of Cory Doctorow's <a href="http://craphound.com/news/2014/12/10/information-doesnt-want-to-be-free-audiobook/">Information Doesn't Want to Be Free</a>. It's a fascinating read and I'd recommend it to anyone interested in copyright.</p>
<p>Admittedly some bits are a little repetitive but it really hammers home how broken the current copyright system is and how much damage archaic copyright laws are doing to the internet.</p>
<p>At the same time <a href="https://www.efa.org.au/2017/05/23/faircopyright/">Electronic Frontiers Australia</a>, a number of <a href="https://meta.wikimedia.org/wiki/FairCopyrightOz">Australian Wikipedians</a> and the <a href="http://www.digital.org.au">Australian Digital Alliance</a> have released a new website <a href="https://www.faircopyright.org.au/">faircopyright.org.au</a> which is campaigning for more sensible copyright laws in Australia.</p>
<p>I personally would be willing to buy a copy of Information Doesn't Want to Be Free for any Australian MP who is willing to listen to or read it and I'm planing on sending an email to my local MP to that effect.</p>If you're not paying for it you're not the customer you're the product2017-05-18T07:00:00+08:002017-05-18T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-05-18:/if-youre-not-paying-for-it-youre-not-the-customer-youre-the-product.html<p>There are exceptions to every rule. I'm certainly not saying every free service exists to profit from it's users. I believe in charity and people doing things for the common good. <a href="https://en.wikipedia.org/wiki/Wikipedia">Wikipedia</a> and the <a href="https://www.kernel.org/">Linux Kernel</a> are great examples.</p>
<p>But even with Wikipedia, I would say the "customer" are people …</p><p>There are exceptions to every rule. I'm certainly not saying every free service exists to profit from it's users. I believe in charity and people doing things for the common good. <a href="https://en.wikipedia.org/wiki/Wikipedia">Wikipedia</a> and the <a href="https://www.kernel.org/">Linux Kernel</a> are great examples.</p>
<p>But even with Wikipedia, I would say the "customer" are people who donate<sup id="fnref:donate"><a class="footnote-ref" href="#fn:donate">1</a></sup> and what they are "buying" is a world where everyone<sup id="fnref:everyone"><a class="footnote-ref" href="#fn:everyone">2</a></sup> has access to information.</p>
<p>That might be pushing the metaphor a bit too far, but I think it's always worth thinking about who is paying the bills of any free service.</p>
<p>Even this blog, I'm paying the bills<sup id="fnref:bills"><a class="footnote-ref" href="#fn:bills">3</a></sup>, and the customer isn't the people reading the blog it's me, I'm paying for a platform where I can <strike>rant</strike> express my self.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:donate">
<p>As a disclaimer, I have donated to Wikipedia a few times when they do their funding drives. I think it's a worthy cause and I would encorage others to do so too. <a class="footnote-backref" href="#fnref:donate" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:everyone">
<p>Everyone with an internet connection. For now, but we buy into the dream that one day everyone in the world will have access to information. <a class="footnote-backref" href="#fnref:everyone" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:bills">
<p>In case you're wondering, I pay $20 AUD a month on hosting with <a href="http://ransomit.com.au/">RansomIT</a> and $70 USD per year for the domain name. <a class="footnote-backref" href="#fnref:bills" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Upgrading a Nexus 6P from CyanogenMod 13 to LineageOS 142017-05-11T07:00:00+08:002017-05-11T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-05-11:/upgrading-a-nexus-6p-from-cyanogenmod-13-to-lineageos-14.html<p>There is an experimental build of LineageOS 14 which can upgrade from CyanogenMod 13 but I thought this was a good opportunity to clear some of the cruft off my phone and start again.</p>
<h2>Backing up the phone</h2>
<p>There were only a few files on my phone I wanted to …</p><p>There is an experimental build of LineageOS 14 which can upgrade from CyanogenMod 13 but I thought this was a good opportunity to clear some of the cruft off my phone and start again.</p>
<h2>Backing up the phone</h2>
<p>There were only a few files on my phone I wanted to copy off. All my photos, contacts and calendar are synced with NextCloud so I already had them backed up.</p>
<p>But I wanted to get a copy of the seed values from Google Authenticator and I wanted to keep a copy of my text messages<sup id="fnref:text-messages"><a class="footnote-ref" href="#fn:text-messages">1</a></sup>.</p>
<p>To pull out the Google Authenticator database you need to enable adb and root access<sup id="fnref:root-access"><a class="footnote-ref" href="#fn:root-access">2</a></sup>.</p>
<p>To do this go into Setting > About Phone and tap on 'Buld Number' 7 times.</p>
<p>Then go back and go into Developer options.</p>
<p>Scroll down to root access and pick ADB only.</p>
<p>Scroll down to Debuguging and switch Android debugging on.</p>
<p>Next you need to install ADB onto your computer, for me on Arch Linux that was as simple as</p>
<div class="highlight"><pre><span></span><code><span class="n">sudo</span> <span class="n">pacman</span> <span class="o">-</span><span class="n">S</span> <span class="n">android</span><span class="o">-</span><span class="n">tools</span>
</code></pre></div>
<p>for Debian / Ubuntu that should be</p>
<div class="highlight"><pre><span></span><code><span class="n">sudo</span> <span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">android</span><span class="o">-</span><span class="n">tools</span><span class="o">-</span><span class="n">adb</span>
</code></pre></div>
<p>Once you have adb installed you can connect your phone via the USB cable. You may need to accept a prompt on your phone to connect adb and trust the computer and the you can run</p>
<div class="highlight"><pre><span></span><code>adb root
adb pull /data/data/com.google.android.apps.authenticator2/databases/databases authenticator.db
</code></pre></div>
<p>This will pull out your Google Authenticator database out. It's just a simple sqlite database and you can have a look through it.</p>
<div class="highlight"><pre><span></span><code>sqlite3 authenticator.db
</code></pre></div>
<blockquote></blockquote>
<div class="highlight"><pre><span></span><code><span class="nt">SQLite</span> <span class="nt">version</span> <span class="nt">3</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">0</span> <span class="nt">2017-03-28</span> <span class="nt">18</span><span class="p">:</span><span class="nd">48</span><span class="p">:</span><span class="nd">43</span>
<span class="nt">Enter</span> <span class="s2">".help"</span> <span class="nt">for</span> <span class="nt">usage</span> <span class="nt">hints</span><span class="o">.</span>
<span class="nt">sqlite</span><span class="o">></span> <span class="p">.</span><span class="nc">tables</span>
<span class="nt">accounts</span> <span class="nt">android_metadata</span>
<span class="nt">sqlite</span><span class="o">></span> <span class="nt">select</span> <span class="o">*</span> <span class="nt">from</span> <span class="nt">accounts</span><span class="o">;</span>
<span class="nt">1</span><span class="o">|</span><span class="nt">Gmail</span><span class="o">|</span><span class="nt">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class="o">|</span><span class="nt">0</span><span class="o">|</span><span class="nt">0</span><span class="o">|</span><span class="nt">0</span>
<span class="nt">2</span><span class="o">|</span><span class="nt">GitHub</span><span class="o">|</span><span class="nt">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class="o">|</span><span class="nt">0</span><span class="o">|</span><span class="nt">0</span><span class="o">|</span><span class="nt">0</span>
<span class="nt">3</span><span class="o">|</span><span class="nt">Amazon</span> <span class="nt">Web</span> <span class="nt">Services</span><span class="o">|</span><span class="nt">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class="o">|</span><span class="nt">0</span><span class="o">|</span><span class="nt">0</span><span class="o">|</span><span class="nt">0</span>
</code></pre></div>
<p>simiarly we can now pull out our old text messages database with.</p>
<div class="highlight"><pre><span></span><code>adb pull /data/data/com.android.providers.telephony/databases/mmssms.db
</code></pre></div>
<p>and have a look through them</p>
<div class="highlight"><pre><span></span><code>sqlite3 mmssms.db
</code></pre></div>
<h2>Whipe the phone</h2>
<p>We reboot the phone into TeamWin Recovery mode by holding the volume down key while booting. Then press the volume up and down to scroll to Recovery mode and click the power button.</p>
<p>Then pick Wipe. I personally did Advance Wipe and picked all the partitions. I don't think this was necessary but I think it's cleaner to start off with a compleatly blank phone.</p>
<h2>Flash the new firmware</h2>
<p>Next we flash the new firmware.</p>
<p>Reboot again, and hold the volume down key but this time wait at the menu where it says Reboot bootloader.</p>
<p>When I first ran <code>fastboot devices</code> I got an error message</p>
<div class="highlight"><pre><span></span><code><span class="n">fastboot</span> <span class="n">devices</span>
<span class="n">no</span> <span class="n">permissions</span><span class="p">;</span> <span class="n">see</span> <span class="p">[</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">developer</span><span class="o">.</span><span class="n">android</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">tools</span><span class="o">/</span><span class="n">device</span><span class="o">.</span><span class="n">html</span><span class="p">]</span> <span class="n">fastboot</span>
</code></pre></div>
<p>But running it as root worked. I <a href="https://forum.xda-developers.com/nexus-6p/orig-development/rom-cm14-1-nexus-6p-angler-t3498453">downloaded</a> and flashed the vendor image, radio firmware and bootloader.</p>
<div class="highlight"><pre><span></span><code><span class="n">sudo</span> <span class="n">fastboot</span> <span class="n">flash</span> <span class="n">vendor</span> <span class="n">vendor</span><span class="o">-</span><span class="n">n2g47h</span><span class="o">.</span><span class="n">img</span>
<span class="n">sudo</span> <span class="n">fastboot</span> <span class="n">flash</span> <span class="n">radio</span> <span class="n">radio</span><span class="o">-</span><span class="n">angler</span><span class="o">-</span><span class="n">angler</span><span class="o">-</span><span class="mf">03.81</span><span class="o">.</span><span class="n">img</span>
<span class="n">sudo</span> <span class="n">fastboot</span> <span class="n">flash</span> <span class="n">bootloader</span> <span class="n">bootloader</span><span class="o">-</span><span class="n">angler</span><span class="o">-</span><span class="n">angler</span><span class="o">-</span><span class="mf">03.67</span><span class="o">.</span><span class="n">img</span>
</code></pre></div>
<h2>Install LineageOS</h2>
<p>Now we reboot into into TeamWin Recovery mode.</p>
<p>Use adb to push a copy of lineage-14 onto the phone</p>
<div class="highlight"><pre><span></span><code>adb push lineage-14.1-20170501-nightly-angler-signed.zip
</code></pre></div>
<p>and pick Install then select the zip file and follow the prompts.</p>
<p>Now we reboot then wait ... wait some more .... then after about a minute when your just starting to think "Oh Jeez I've bricked my phone" you will be greeted by the LineageOS boot screen.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:text-messages">
<p>I'm a bit of a hoarder with my data, storage is so cheap and it's so easy to keep it all forever. Signal has <a href="https://whispersystems.org/blog/disappearing-messages/">disappearing messages</a> and it's a great idea, some conversations ephemeral but I just can't bring myself to delete my message history. <a class="footnote-backref" href="#fnref:text-messages" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:root-access">
<p>Just incase it's not obvious enabling root access is a horible idea from a security point of view, I'd only do it when necessary and remove it again straight away. <a class="footnote-backref" href="#fnref:root-access" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Inbox Zero2017-05-04T07:00:00+08:002017-05-04T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-05-04:/inbox-zero.html<p>There must be hundreds of diffrent strategies for dealing with the constant flood of requests that come in through out the day. My personal favorite for email is <a href="https://www.youtube.com/watch?v=z9UjeTMb3Yk">Inbox Zero</a>. If you havn't come across it before you should go and check it out, it might not be the one …</p><p>There must be hundreds of diffrent strategies for dealing with the constant flood of requests that come in through out the day. My personal favorite for email is <a href="https://www.youtube.com/watch?v=z9UjeTMb3Yk">Inbox Zero</a>. If you havn't come across it before you should go and check it out, it might not be the one that works for you but you should at least take a look.</p>
<p>The thing that really stuck for me was that your inbox shouldn't be a reminder system, most office suites already have two tools that do that better; your calender and a your task / to do list.</p>
<p>Instead of leaving an email that's otherwise dealt with in your inbox thinking "I must follow that up next week when Jo gets back from leave ... " archive the email and stick an appointment in your calendar for some time after Jo gets back that says "Follow up <em>thing</em> with Jo."</p>Installing Python 3.6 on Windows2017-04-27T07:00:00+08:002017-04-27T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-04-27:/installing-python-36-on-windows.html<p>Installing Python on Windows is not that hard, but I want the 64 bit version and I want it installed system wide and neither of these are defaults so we need to change things a little.</p>
<p>First we go to <a href="https://www.python.org/">python.org</a> and navigate to Downloads > Windows</p>
<p><img alt="Python Downloads Windows" src="https://xo.tc/images/python-windows-install-1-home-page.png"></p>
<p>Then we need …</p><p>Installing Python on Windows is not that hard, but I want the 64 bit version and I want it installed system wide and neither of these are defaults so we need to change things a little.</p>
<p>First we go to <a href="https://www.python.org/">python.org</a> and navigate to Downloads > Windows</p>
<p><img alt="Python Downloads Windows" src="https://xo.tc/images/python-windows-install-1-home-page.png"></p>
<p>Then we need to download the 64-bit exceutable installer.</p>
<p><img alt="Python Downloads Windows 64-bit" src="https://xo.tc/images/python-windows-install-2-64-bit-executable.png"></p>
<p>We run the installer, first tick "Add Python 3.6 to PATH" this makes life much easier because we can simply call python from the command line. Next click "Customize installation"</p>
<p><img alt="Python Installer First Page" src="https://xo.tc/images/python-windows-install-3-installer-first-page.png"></p>
<p>I install all the optional features (this is the default anyway) so we simply hit next.</p>
<p><img alt="Python optional features" src="https://xo.tc/images/python-windows-install-4-installer-optional-features.png"></p>
<p>In the Advanced Options tick "Install for all users" this will change the path from <code>C:\Users\your.name\AppData\Local\Programs\Python\Python36</code> to <code>C:\Program Files\Python36</code> which will make it system wide. Then hit Install</p>
<p><img alt="Python optional features" src="https://xo.tc/images/python-windows-install-5-installer-advanced-options.png"></p>
<p>This will ask for elevated privlages and then run though installing and your done.</p>
<p><img alt="Python optional features" src="https://xo.tc/images/python-windows-install-6-installer-running.png"></p>
<p>I understand that the Python installer probably defaults to installing the 32 bit version for just the local user for compatibility reasons. It's better to have defaults that will work for everyone, but for me I almost always install python to run things like scheduled tasks and system scripts so this is how I like my Python set up.</p>Spam Filtering2017-04-20T07:00:00+08:002017-04-20T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-04-20:/spam-filtering.html<p>Since I've started hosting my own email server I've been using spam assassin for my spam filtering. All in all it does a pretty good job of stopping spam but unfortuantly without the volume of mail Google has to train it's filter it will simply never be as good as …</p><p>Since I've started hosting my own email server I've been using spam assassin for my spam filtering. All in all it does a pretty good job of stopping spam but unfortuantly without the volume of mail Google has to train it's filter it will simply never be as good as what you can get from hosted email with one of the major providers.</p>
<p>Recently I've decided that instead of constantly trying to tweak my spam filtering rules, adding new real time black lists, and so on. I've simply turned spam assassin up to be very agressive and then started using a whitelist of people and domains that I receive email from regularly.</p>
<p>I know that it's not an approach that would scale past a couple of people, let alone a millions like the major providers have to deal with, but for me I rarely receive email from people I have not communicated with before and simply exporting my contacts list and whitelisting those addresses seems to be working pretty well.</p>Moving beyond PEP 82017-04-13T07:00:00+08:002017-04-13T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-04-13:/moving-beyond-pep-8.html<p>I recently watched Raymond Hettinger - <a href="https://www.youtube.com/watch?v=wf-BqAjZb8M">Beyond PEP 8 -- Best practices for beautiful intelligible code</a> - from PyCon 2015. It was an ammazing talk and I'd higly reccomend it to anyone wanting to write readable Python code.</p>
<p>One of the first things he tackled was the <a href="https://www.python.org/dev/peps/pep-0008/#maximum-line-length">79 character</a> line limit. That's something …</p><p>I recently watched Raymond Hettinger - <a href="https://www.youtube.com/watch?v=wf-BqAjZb8M">Beyond PEP 8 -- Best practices for beautiful intelligible code</a> - from PyCon 2015. It was an ammazing talk and I'd higly reccomend it to anyone wanting to write readable Python code.</p>
<p>One of the first things he tackled was the <a href="https://www.python.org/dev/peps/pep-0008/#maximum-line-length">79 character</a> line limit. That's something that has always annoyed me, as I personally like long and descriptive variable names and if your already tabbed in four or eight spaces it dosn't always leave a lot of space for your code. I know I've been guilty of writing worse and less readable code just to make my code squeeze into the space available. Really if your code is PEP 8 compliant but harder to read then you have missed the point of PEP 8.</p>
<p>I feel very strongly about descriptive variable names, I've worked with software that was originaly written for Gupta SQL Base in 1992 when it <a href="http://support.guptatechnologies.com/Docs/SQLBase/Books/sqllang10/sqllang_sql_elements.htm">didn't support</a> column names longer than 18 character. This lead to some great names like <code>PRJ_CON_RET_DAT</code>, you might be able to work out what is but a variable like <code>project_contract_returned_date</code> is so much easier to understand. Some people have said long descriptive variable are hard to type, but I think people should be using an editor with autocomplete.</p>
<p>Raymond also tackes a few other ways to make your code more pythonic.</p>Calculating a base64 encoded sha256 sum of inline scripts for your content security policy2017-04-06T07:00:00+08:002017-04-06T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-04-06:/calculating-a-base64-encoded-sha256-sum-of-inline-scripts-for-your-content-security-policy.html<p>A while ago I wrote a post on <a href="https://xo.tc/http-secuirty-headers.html">HTTP Security Headers</a> and part of that invloved setting up a content security policy (CSP) and in that I say</p>
<blockquote>
<p>I've done a SHA-256 hash of the script</p>
</blockquote>
<p>and I just left it at that, simple right? Only now a it's little …</p><p>A while ago I wrote a post on <a href="https://xo.tc/http-secuirty-headers.html">HTTP Security Headers</a> and part of that invloved setting up a content security policy (CSP) and in that I say</p>
<blockquote>
<p>I've done a SHA-256 hash of the script</p>
</blockquote>
<p>and I just left it at that, simple right? Only now a it's little over a year later, I've changed my piwik domain and I need to change my inline script only I can't remember how I calculated the sum.</p>
<p>For those who have <strong>already have a CSP</strong> I'd recomend;</p>
<ul>
<li>Open Chrome</li>
<li>Hit F12 to get the console</li>
<li>Load your page</li>
<li>Find the error message which helpfully contains exactly what you need to add to your CSP</li>
</ul>
<p>So in my case chrome provided me with:</p>
<blockquote>
<p>Either the 'unsafe-inline' keyword, <strong>a hash ('sha256-j69kMLNHErwf2Xyju05S+HrqhF6iQdmyWjxO2peCm10=')</strong>, or a nonce ('nonce-...') is required to enable inline execution.</p>
</blockquote>
<p><em>(emphasis mine)</em></p>
<p><img alt="Content Security Policy vialation" src="https://xo.tc/images/content-security-policy-vialation.png"></p>
<p>Of course that's fine if you are ok with temporarily breaking your script but what if you want to calculate it before putting it on you your site?</p>
<p>My new inline script is:</p>
<div class="highlight"><pre><span></span><code><span class="c"><!-- Piwik --></span>
<span class="p"><</span><span class="nt">script</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/javascript"</span><span class="p">></span>
<span class="kd">var</span> <span class="nx">_paq</span> <span class="o">=</span> <span class="nx">_paq</span> <span class="o">||</span> <span class="p">[];</span>
<span class="nx">_paq</span><span class="p">.</span><span class="nx">push</span><span class="p">([</span><span class="s1">'trackPageView'</span><span class="p">]);</span>
<span class="nx">_paq</span><span class="p">.</span><span class="nx">push</span><span class="p">([</span><span class="s1">'enableLinkTracking'</span><span class="p">]);</span>
<span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span>
<span class="kd">var</span> <span class="nx">u</span><span class="o">=</span><span class="s2">"//piwik.xo.tc/"</span><span class="p">;</span>
<span class="nx">_paq</span><span class="p">.</span><span class="nx">push</span><span class="p">([</span><span class="s1">'setTrackerUrl'</span><span class="p">,</span> <span class="nx">u</span><span class="o">+</span><span class="s1">'piwik.php'</span><span class="p">]);</span>
<span class="nx">_paq</span><span class="p">.</span><span class="nx">push</span><span class="p">([</span><span class="s1">'setSiteId'</span><span class="p">,</span> <span class="mf">2</span><span class="p">]);</span>
<span class="kd">var</span> <span class="nx">d</span><span class="o">=</span><span class="nb">document</span><span class="p">,</span> <span class="nx">g</span><span class="o">=</span><span class="nx">d</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="s1">'script'</span><span class="p">),</span> <span class="nx">s</span><span class="o">=</span><span class="nx">d</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="s1">'script'</span><span class="p">)[</span><span class="mf">0</span><span class="p">];</span>
<span class="nx">g</span><span class="p">.</span><span class="nx">type</span><span class="o">=</span><span class="s1">'text/javascript'</span><span class="p">;</span> <span class="nx">g</span><span class="p">.</span><span class="k">async</span><span class="o">=</span><span class="kc">true</span><span class="p">;</span> <span class="nx">g</span><span class="p">.</span><span class="nx">defer</span><span class="o">=</span><span class="kc">true</span><span class="p">;</span> <span class="nx">g</span><span class="p">.</span><span class="nx">src</span><span class="o">=</span><span class="nx">u</span><span class="o">+</span><span class="s1">'piwik.js'</span><span class="p">;</span> <span class="nx">s</span><span class="p">.</span><span class="nx">parentNode</span><span class="p">.</span><span class="nx">insertBefore</span><span class="p">(</span><span class="nx">g</span><span class="p">,</span><span class="nx">s</span><span class="p">);</span>
<span class="p">})();</span>
<span class="p"></</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">noscript</span><span class="p">><</span><span class="nt">p</span><span class="p">><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">"//piwik.xo.tc/piwik.php?idsite=2"</span> <span class="na">style</span><span class="o">=</span><span class="s">"border:0;"</span> <span class="na">alt</span><span class="o">=</span><span class="s">""</span> <span class="p">/></</span><span class="nt">p</span><span class="p">></</span><span class="nt">noscript</span><span class="p">></span>
<span class="c"><!-- End Piwik Code --></span>
</code></pre></div>
<p>Now we don't include the <script> tags but white space is significant so in my case I needed a line break (blank line) at the start because there is a linebreak just after the opeing <script> tag but I didn't need a blank line at the end. I saved a <a href="https://xo.tc/documents/piwik_script.txt">text file</a> with the script in it and ran</p>
<div class="highlight"><pre><span></span><code>openssl dgst -sha256 -binary piwik_script.txt <span class="p">|</span> openssl enc -base64
</code></pre></div>
<p>which is based on the <a href="https://www.w3.org/TR/CSP2/#script-src-hash-usage">example</a> from the W3C recommendation about CSPs.</p>Occam's razor2017-03-30T07:00:00+08:002017-03-30T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-03-30:/occams-razor.html<p>I mentioned Occam's razor in a <a href="https://xo.tc/attribution-is-about-more-than-just-technical-evidence.html">previous post</a> and it's a philosophy I'm a huge fan of. Especially in information secuirty. </p>
<p>Often it's summed up as </p>
<blockquote>
<p>"the simplest explanation is usually the correct one"</p>
</blockquote>
<p>I think it's easy to get carried away with theories that <em>could</em> be posible rather than …</p><p>I mentioned Occam's razor in a <a href="https://xo.tc/attribution-is-about-more-than-just-technical-evidence.html">previous post</a> and it's a philosophy I'm a huge fan of. Especially in information secuirty. </p>
<p>Often it's summed up as </p>
<blockquote>
<p>"the simplest explanation is usually the correct one"</p>
</blockquote>
<p>I think it's easy to get carried away with theories that <em>could</em> be posible rather than focus on the theories that are the most likely.</p>The HP Automated Storage Manager Server service terminated unexpectedly.2017-03-23T07:00:00+08:002017-03-23T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-03-23:/the-hp-automated-storage-manager-server-service-terminated-unexpectedly.html<p>About a week ago we had an issue with a HP X1600 G2 Network Storage System Server. After rebooting we got an error message in the event log roughly ever minute with Event ID 7031</p>
<div class="highlight"><pre><span></span><code>The HP Automated Storage Manager Server service terminated unexpectedly. It has done this 1 time …</code></pre></div><p>About a week ago we had an issue with a HP X1600 G2 Network Storage System Server. After rebooting we got an error message in the event log roughly ever minute with Event ID 7031</p>
<div class="highlight"><pre><span></span><code>The HP Automated Storage Manager Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
</code></pre></div>
<p>followed by an informational log with Event ID 7036</p>
<div class="highlight"><pre><span></span><code>The HP Automated Storage Manager Server service entered the running state.
</code></pre></div>
<p>and it kept looping through those two messages.</p>
<p>After some digging around we worked out that it was a USB hard drive causing the error. The hard drive had been plugged in for almost a month but it seems the version of HP Automated Storage Manager we were running couldn't start if there was a USB hard drive attached. Attaching the drive after the service has started doesn't cause issues which is why the error didn't crop up until after we rebooted the server.</p>
<p>Hopefully that helps someone else who is scratching their head trying to work out this issue.</p>Attribution is about more than just technical evidence2017-03-16T07:00:00+08:002017-03-16T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-03-16:/attribution-is-about-more-than-just-technical-evidence.html<p>There is a story that's been doing the rounds lately about malware that took control of microphones and <a href="https://arstechnica.com/security/2017/02/hackers-who-took-control-of-pc-microphones-siphon-600-gb-from-70-targets/">uploaded over 600 GB of audio</a> to its command and control. As others in the security industry have pointed out this is a great example of where we can make fairly confident …</p><p>There is a story that's been doing the rounds lately about malware that took control of microphones and <a href="https://arstechnica.com/security/2017/02/hackers-who-took-control-of-pc-microphones-siphon-600-gb-from-70-targets/">uploaded over 600 GB of audio</a> to its command and control. As others in the security industry have pointed out this is a great example of where we can make fairly confident guesses about the origin of the malware without even looking at the "Technical" evidence; Things like network logs, packet captures, infection vectors and reverse engineering the binaries to look for clues to trace the attacks back.</p>
<p>Instead, we can look at a more political angle. As a quick off the back of the envelope calculation if we had 600GB MP3 files at 128kbps<sup id="fnref:mp3-files"><a class="footnote-ref" href="#fn:mp3-files">1</a></sup> it would be <a href="https://www.wolframalpha.com/input/?i=600GB+at+128kbps">more than 10,000 hours or over a year of audio</a>. We can also see the computers infected were in the Ukraine, so we can say "Who would have the capacity and desire to listen to over 10,000 hours of Ukrainian conversations?"<sup id="fnref:bluff"><a class="footnote-ref" href="#fn:bluff">2</a></sup></p>
<p>Sure it might not prove attribution that would stand up in a court of law to "Beyond a reasonable doubt" but it points very strongly in one direction.</p>
<p>I was once involved in a situation where a document had been leaked. Several people had access to that document and any of them could have leaked it, but we looked at when the document was leaked, who it was leaked to and who stood to gain from the leak. In the end, we had a pretty good idea about who had leaked the document, maybe not "beyond a reasonable doubt" level of confidence but enough that we were satisfied.</p>
<p>I think in a heavily technical field where some things can be boolean it's easy to overlook the more social and political aspects where things are not so definite.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:mp3-files">
<p>I have no idea what codec or compression levels were being used, but 128kbps is a fairly average rate. <a class="footnote-backref" href="#fnref:mp3-files" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:bluff">
<p>While that's possible that siphoning off the audio could be misdirection. I think <a href="https://en.wikipedia.org/wiki/Occam%27s_razor">Occam's razor</a> applies here and "the simplest explanation is usually the correct one". <a class="footnote-backref" href="#fnref:bluff" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>One hundred prisoners and a light bulb simulation2017-03-09T07:00:00+08:002017-03-09T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-03-09:/one-hundred-prisoners-and-a-light-bulb-simulation.html<p>This is a little off my usual topic of IT Security but it's something I've been thinking about a bit lately. I recently came across the "One hundred prisoners and a light bulb" riddle. It was <a href="http://www.ias.uwa.edu.au/lectures/van-ditmarsch">posed as</a>:</p>
<blockquote>
<p>A group of 100 prisoners, all together in the prison dining area …</p></blockquote><p>This is a little off my usual topic of IT Security but it's something I've been thinking about a bit lately. I recently came across the "One hundred prisoners and a light bulb" riddle. It was <a href="http://www.ias.uwa.edu.au/lectures/van-ditmarsch">posed as</a>:</p>
<blockquote>
<p>A group of 100 prisoners, all together in the prison dining area, are told that they will be all put in isolation cells and then will be interrogated one by one in a room containing a light with an on/off switch. The prisoners may communicate with one another by toggling the light-switch (and that is the only way in which they can communicate). The light is initially switched off. There is no fixed order of interrogation, or interval between interrogations, and the same prisoner will be interrogated again at any stage. When interrogated, a prisoner can either do nothing, or toggle the light-switch, or announce that all prisoners have been interrogated. If that announcement is true, the prisoners will (all) be set free, but if it is false, they will all be executed. While still in the dining room, and before the prisoners go to their isolation cells (forever), can the prisoners agree on a protocol that will set them free?</p>
</blockquote>
<p>I think there are several version that all run along the same lines but with slightly tweaked wording.</p>
<p>The general solution to the puzzle is that;</p>
<ul>
<li>All the prisoners decied to elect one prisoner as the leader.</li>
<li>When a prisoner is interrogated if the light is off and they have not switched it on before they will switch the light on. Otherwise they will leave the light unchanged.</li>
<li>Only the leader can switch the light off. After the leaer has switched the light off 99 times they know all other prisoners must have been interrogated.</li>
</ul>
<p>This works and from a logic point of view is fairly elegant. However it seemed inefficient to me. I wanted to know how many interrogations before the prisoners are set free. I feel sure there is some mathematical way you could calculate the average but that's beyond me so I <strike>kidnaped 100 people and locked them in my basement</strike> wrote a Python script to simulate the problem.</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/python3</span>
<span class="c1"># -*- coding: UTF-8 -*-</span>
<span class="sd">"""</span>
<span class="sd">A group of 100 prisoners, all together in the prison dining area, are told that</span>
<span class="sd">they will be all put in isolation cells and then will be interrogated one by</span>
<span class="sd">one in a room containing a light with an on/off switch. The prisoners may</span>
<span class="sd">communicate with one another by toggling the light-switch (and that is the</span>
<span class="sd">only way in which they can communicate). The light is initially switched off.</span>
<span class="sd">There is no fixed order of interrogation, or interval between interrogations,</span>
<span class="sd">and the same prisoner will be interrogated again at any stage. When</span>
<span class="sd">interrogated, a prisoner can either do nothing, or toggle the light-switch,</span>
<span class="sd">or announce that all prisoners have been interrogated. If that announcement is</span>
<span class="sd">true, the prisoners will (all) be set free, but if it is false, they will all</span>
<span class="sd">be executed.</span>
<span class="sd">While still in the dining room, and before the prisoners go to their isolation</span>
<span class="sd">cells (forever), can the prisoners agree on a protocol that will set them free?</span>
<span class="sd">"""</span>
<span class="kn">import</span> <span class="nn">random</span>
<span class="n">light_bulb_on</span> <span class="o">=</span> <span class="kc">False</span>
<span class="k">class</span> <span class="nc">Prisoner</span><span class="p">():</span>
<span class="sd">"""The basic class there should be 100 of these"""</span>
<span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">"""Sets up the initial variables"""</span>
<span class="bp">self</span><span class="o">.</span><span class="n">has_switched_on_light_bulb</span> <span class="o">=</span> <span class="kc">False</span>
<span class="k">def</span> <span class="nf">interigation</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> When the prisoner goes into the room, if the light is on they leave it</span>
<span class="sd"> otherwise if it's off and they have not yet switched it on they turn</span>
<span class="sd"> the light bulb on</span>
<span class="sd"> """</span>
<span class="k">global</span> <span class="n">light_bulb_on</span>
<span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">has_switched_on_light_bulb</span> <span class="ow">is</span> <span class="kc">False</span> <span class="ow">and</span> <span class="n">light_bulb_on</span> <span class="ow">is</span> <span class="kc">False</span><span class="p">:</span>
<span class="n">light_bulb_on</span> <span class="o">=</span> <span class="kc">True</span>
<span class="bp">self</span><span class="o">.</span><span class="n">has_switched_on_light_bulb</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">class</span> <span class="nc">Leader</span><span class="p">(</span><span class="n">Prisoner</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Only the leader can switch the light bulb off. After they have swtiched the</span>
<span class="sd"> light bulb off 99 times, they know all prisoners have been interrogated.</span>
<span class="sd"> """</span>
<span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">"""Sets up the initial variables"""</span>
<span class="n">Prisoner</span><span class="o">.</span><span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>
<span class="bp">self</span><span class="o">.</span><span class="n">switch_off_count</span> <span class="o">=</span> <span class="mi">0</span>
<span class="k">def</span> <span class="nf">interigation</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> When the leader gets in interrogated they can switch the light off</span>
<span class="sd"> """</span>
<span class="k">global</span> <span class="n">light_bulb_on</span>
<span class="k">if</span> <span class="n">light_bulb_on</span><span class="p">:</span>
<span class="n">light_bulb_on</span> <span class="o">=</span> <span class="kc">False</span>
<span class="bp">self</span><span class="o">.</span><span class="n">switch_off_count</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">switch_off_count</span> <span class="o">==</span> <span class="mi">99</span><span class="p">:</span>
<span class="k">return</span> <span class="s2">"All prisoners have been interrogated"</span>
<span class="k">def</span> <span class="nf">run_simulation</span><span class="p">():</span>
<span class="sd">"""</span>
<span class="sd"> Runs a simulation of the onehundred prisoners and a light bulb problem and</span>
<span class="sd"> returns the number of interigations before the prisoners are released.</span>
<span class="sd"> """</span>
<span class="c1"># Add one leader and 99 prisoners</span>
<span class="n">number_of_interigations</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">responce</span> <span class="o">=</span> <span class="kc">None</span>
<span class="n">prisoners</span> <span class="o">=</span> <span class="p">[</span><span class="n">Leader</span><span class="p">()]</span>
<span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">99</span><span class="p">):</span>
<span class="n">prisoners</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">Prisoner</span><span class="p">())</span>
<span class="k">while</span> <span class="n">responce</span> <span class="o">!=</span> <span class="s2">"All prisoners have been interrogated"</span><span class="p">:</span>
<span class="n">responce</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">(</span><span class="n">prisoners</span><span class="p">)</span><span class="o">.</span><span class="n">interigation</span><span class="p">()</span>
<span class="n">number_of_interigations</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">return</span> <span class="n">number_of_interigations</span>
<span class="c1"># Run the simulation 1000 times and print out the average number of</span>
<span class="c1"># interigations before the prisoners are released.</span>
<span class="n">average</span> <span class="o">=</span> <span class="mi">0</span>
<span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1000</span><span class="p">):</span>
<span class="n">average</span> <span class="o">+=</span> <span class="n">run_simulation</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="n">average</span> <span class="o">//</span> <span class="mi">1000</span><span class="p">)</span>
</code></pre></div>
<p>Making that script object oriented is compleate overkill but it was fun to write. I've made some assumptions here, mainly that the prisoners are interrogated in a random order and continuously until one of them says "All prisoners have been interrogated".</p>
<p>It usually takes around 10400 interigations before the prisoners are set free. I then started thinking about other issues like what if the interigations are not random. My sister sent me a link to a <a href="http://homepages.cwi.nl/~jve/papers/10/pdfs/JANCLlightbulb.pdf">journal article</a> that looks into all these posibilities. It's a fun little distraction for those who like logic puzzles.</p>Using the new(ish) Nextcloud updater2017-03-02T07:00:00+08:002017-03-02T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-03-02:/using-the-newish-nextcloud-updater.html<p>I first started playing with ownCloud back in early 2012 with version 3, and started using it seriously in mid 2014 as my main tool for syncing my Calendar, Contacts and files having migrated away from Google's Calendar/Contacts/Drive.</p>
<p>But one of my biggest complaints was the update mechanism …</p><p>I first started playing with ownCloud back in early 2012 with version 3, and started using it seriously in mid 2014 as my main tool for syncing my Calendar, Contacts and files having migrated away from Google's Calendar/Contacts/Drive.</p>
<p>But one of my biggest complaints was the update mechanism, or rather the lack of one. On September 29th 2016 I published a copy of <a href="https://xo.tc/using-the-newish-nextcloud-updater.html">my ownCloud update script</a> nothing amazing but it did the job. In that post I said that</p>
<blockquote>
<p>I've been looking at <a href="https://nextcloud.com/">NextCloud</a>, I haven't made the switch yet but if they introduce an automatic update mechanism that would be a big enough draw card for me to change.</p>
</blockquote>
<p>I didn't realise it at the time but also on the 29th of September 2016 Nextcloud <a href="https://nextcloud.com/blog/new-nextcloud-maintenance-releases-out-with-improved-updater-and-over-40-fixes/">annoucned</a> a new updater mechanism. Not fully automatic like wordpress security updates, but a good step in the right directon.</p>
<p>Early in 2017 I decided to take the plunge and migrate across to Nextcloud and I've just done my first in browser upgrade, from 11.0.1 to 11.0.2.</p>
<p>It started with a notificaton in the browser and also on the desktop client.</p>
<p><img alt="Update notification" src="https://xo.tc/images/next-cloud-updater-1-notification.png"></p>
<p>I went into the admin panel</p>
<p><img alt="Admin panel" src="https://xo.tc/images/next-cloud-updater-2-admin.png"></p>
<p>Under the version section I clicked Open updater</p>
<p><img alt="Open updater" src="https://xo.tc/images/next-cloud-updater-3-open-updater.png"></p>
<p>Then simply hit Start update</p>
<p><img alt="Start update" src="https://xo.tc/images/next-cloud-updater-4-start-update.png"></p>
<p>It ran through all of the steps in a couple of minutes then I picked "No" to exit maintenance mode.</p>
<p><img alt="exit maintenance mode" src="https://xo.tc/images/next-cloud-updater-5-exit-maintenance-mode.png"></p>
<p>Then I returned back to the home page to finish the database upgrade</p>
<p><img alt="return to home page" src="https://xo.tc/images/next-cloud-updater-6-return-to-home-page.png"></p>
<p>From there, the update was the same as before; click on "Start update" to start upgrading the database</p>
<p><img alt="start database upgrade" src="https://xo.tc/images/next-cloud-updater-7-database-upgrade.png"></p>
<p>After the upgrade continue on to Nextcloud and re-enable any 3rd party apps that have been disabled.</p>
<p><img alt="finish Nexcloud update" src="https://xo.tc/images/next-cloud-updater-8-database-upgrade-finished.png"></p>
<p>The overall process was very easy and felt much more user friendly than SSHing in and running my bash script.</p>Using ssh config to save settings and make your life easier2017-02-23T07:00:00+08:002017-02-23T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-02-23:/using-ssh-config-to-save-settings-and-make-your-life-easier.html<p>SSH is an amazing tool, I use it all the time and not just for logging into remote computers, but also to create tunnels, copy files and access git repositories.</p>
<p>But I don't want to have to remember fidily commands something like <code>ssh I2P_Router</code> is so much nicer than something …</p><p>SSH is an amazing tool, I use it all the time and not just for logging into remote computers, but also to create tunnels, copy files and access git repositories.</p>
<p>But I don't want to have to remember fidily commands something like <code>ssh I2P_Router</code> is so much nicer than something like</p>
<div class="highlight"><pre><span></span><code><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">i</span><span class="w"> </span><span class="p">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">Michael</span><span class="o">-</span><span class="n">Van</span><span class="o">-</span><span class="n">Delft</span><span class="p">.</span><span class="n">id_rsa</span><span class="w"> </span><span class="o">-</span><span class="n">L</span><span class="w"> </span><span class="mi">7657</span><span class="err">:</span><span class="nl">localhost</span><span class="p">:</span><span class="mi">7657</span><span class="w"> </span><span class="o">-</span><span class="n">L</span><span class="w"> </span><span class="mi">4444</span><span class="err">:</span><span class="nl">localhost</span><span class="p">:</span><span class="mi">4444</span><span class="w"> </span><span class="o">-</span><span class="n">L</span><span class="w"> </span><span class="mi">6668</span><span class="err">:</span><span class="nl">localhost</span><span class="p">:</span><span class="mi">6668</span><span class="w"> </span><span class="n">i2p_user</span><span class="nv">@example</span><span class="p">.</span><span class="nl">com</span><span class="p">:</span><span class="mi">2233</span><span class="w"></span>
</code></pre></div>
<p>I keep my <code>~/.ssh</code> folder synced as a git repository, that I sync over https with <a href="https://xo.tc/setting-up-gogs-on-debian-jessie-with-apache2-and-postgresql.html">gogs</a>. For all other git repositories I use ssh, but https solves the bootstap problem where I setup a new computer and want to download my ssh settings.</p>
<p>Below is an example of my <code>~/.ssh/config</code> file with just a few changes.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Override /etc/ssh_config</span>
<span class="c1"># This is a potential issue where someone who can read your ~/.ssh/known_hosts</span>
<span class="c1"># can see what servers you have SSHed into. However I'm not concerned by that.</span>
<span class="c1"># It makes it much easier to just delete one line from known_hosts when a</span>
<span class="c1"># server changes key.</span>
HashKnownHosts no
<span class="c1">###############################################################################</span>
<span class="c1"># Servers #</span>
<span class="c1">###############################################################################</span>
Host example.com www.example.com brand.example.com
IdentityFile ~/.ssh/Michael-Van-Delft.id_rsa
User michael
<span class="c1"># Port forwarding for I2P. Simply run `ssh I2P_Router`</span>
<span class="c1"># then browse to http://localhost:7657/</span>
Host I2P_Router
HostName example.net
IdentityFile ~/.ssh/Michael-Van-Delft.id_rsa
User i2p_user
LocalForward <span class="m">7657</span> localhost:7657
LocalForward <span class="m">4444</span> localhost:4444
LocalForward <span class="m">6668</span> localhost:6668
<span class="c1"># Example of a local server with IPv6 only</span>
Host zilean
IdentityFile ~/.ssh/pi@zilean.example.com.id_rsa
User pi
AddressFamily inet6
HostName <span class="m">2001</span>:0db8:6101:cc01::7
<span class="c1">###############################################################################</span>
<span class="c1"># Git and Service accounts #</span>
<span class="c1">###############################################################################</span>
Host github.com
HostName github.com
IdentityFile ~/.ssh/git@github.com.id_rsa
User git
IdentitiesOnly yes
<span class="c1"># This is good if you have a server you ssh into (like example.com from the top</span>
<span class="c1"># entry) where you want to use diffrent credentials for git as you do when you</span>
<span class="c1"># SSH in normaly.</span>
<span class="c1">#</span>
<span class="c1"># To clone a repository simply run</span>
<span class="c1"># git clone gogs:Michael/exotic-security.git</span>
Host gogs
HostName example.com
IdentityFile ~/.ssh/gogs.id_ed25519
User git
IdentitiesOnly yes
</code></pre></div>Simple postgres basics2017-02-16T07:00:00+08:002017-02-16T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-02-16:/simple-postgres-basics.html<p>This is another one of <a href="https://xo.tc/tag/note-to-self.html">those things</a> I've done all this several times before, but need to keep looking up the documentation.</p>
<p>To login to PostgreSQL after a fresh installation<sup id="fnref:installation"><a class="footnote-ref" href="#fn:installation">1</a></sup> you need to change to the postgres user and run psql (no password needed, it uses <a href="https://www.postgresql.org/docs/9.1/static/auth-methods.html#AUTH-PEER">Peer Authentication</a>)</p>
<div class="highlight"><pre><span></span><code>sudo …</code></pre></div><p>This is another one of <a href="https://xo.tc/tag/note-to-self.html">those things</a> I've done all this several times before, but need to keep looking up the documentation.</p>
<p>To login to PostgreSQL after a fresh installation<sup id="fnref:installation"><a class="footnote-ref" href="#fn:installation">1</a></sup> you need to change to the postgres user and run psql (no password needed, it uses <a href="https://www.postgresql.org/docs/9.1/static/auth-methods.html#AUTH-PEER">Peer Authentication</a>)</p>
<div class="highlight"><pre><span></span><code>sudo -u postgres psql
</code></pre></div>
<p>from there you can create a user and access it as you normally would.</p>
<div class="highlight"><pre><span></span><code>createuser -P -s -e michael
</code></pre></div>
<p>to connect to a database use</p>
<div class="highlight"><pre><span></span><code>\c database_name
</code></pre></div>
<p>to list the tables run</p>
<div class="highlight"><pre><span></span><code>\dt
</code></pre></div>
<p>and to make the output format expanded so it fits on a small screen simply switch</p>
<div class="highlight"><pre><span></span><code>\x on
</code></pre></div>
<div class="footnote">
<hr>
<ol>
<li id="fn:installation">
<p>In my case that's usually on Debian or Ubuntu but it should be the same on most Linux distros. <a class="footnote-backref" href="#fnref:installation" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>My IP Tables script example2017-02-09T07:00:00+08:002017-02-09T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-02-09:/my-ip-tables-script-example.html<p>Below is an example of the IP Tables script I use on many of my servers. The names and IP addresses have been changed to <a href="https://en.wikipedia.org/wiki/Reserved_IP_addresses">reserved addresses</a> and obviously it needs to be tweaked each time for relevent rules. </p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># This script is symlinked to /etc/network/if-pre-up.d …</span></code></pre></div><p>Below is an example of the IP Tables script I use on many of my servers. The names and IP addresses have been changed to <a href="https://en.wikipedia.org/wiki/Reserved_IP_addresses">reserved addresses</a> and obviously it needs to be tweaked each time for relevent rules. </p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># This script is symlinked to /etc/network/if-pre-up.d/firewall-rules</span>
<span class="c1"># ln -s /home/michael/firewall-rules.sh /etc/network/if-pre-up.d/firewall-rules</span>
<span class="c1">################################################################################</span>
<span class="c1"># IPv4 Rules</span>
<span class="c1">################################################################################</span>
<span class="c1"># Networks</span>
<span class="nv">MichaelHome</span><span class="o">=</span><span class="s2">"198.51.100.122/32"</span>
<span class="nv">MichaelHomeV6</span><span class="o">=</span><span class="s2">"2001:db8:62F8:cc01::0/64"</span>
<span class="nv">TienHome</span><span class="o">=</span><span class="s2">"203.0.113.94/32"</span>
<span class="nv">WorkNetwork</span><span class="o">=</span><span class="s2">"192.0.2.0/24"</span>
<span class="k">function</span> GeneralRules <span class="o">{</span>
<span class="c1">#start and flush</span>
<span class="nv">$IPTABLES</span> -F
<span class="nv">$IPTABLES</span> -t nat -F
<span class="nv">$IPTABLES</span> -X
<span class="nv">$IPTABLES</span> -P FORWARD DROP
<span class="nv">$IPTABLES</span> -P INPUT DROP
<span class="nv">$IPTABLES</span> -P OUTPUT ACCEPT
<span class="c1">#Ping, Trace Route, etc...</span>
<span class="nv">$IPTABLES</span> -A INPUT -p icmp -j ACCEPT
<span class="c1">#Mail - SMTP, SMTPS, IMAP and IMAPS</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">25</span> -j ACCEPT <span class="c1">#SMTP</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">465</span> -j ACCEPT <span class="c1">#SMTPS</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">587</span> -j ACCEPT <span class="c1">#SMTP Submission</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">143</span> -j ACCEPT <span class="c1">#IMAP</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">993</span> -j ACCEPT <span class="c1">#IMAPS</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">4190</span> -j ACCEPT <span class="c1"># dovecot-sieve set mail filter settings.</span>
<span class="c1">#HTTP[S] traffic</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">80</span> -j ACCEPT
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">443</span> -j ACCEPT
<span class="c1"># i2p</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">21546</span> -j ACCEPT
<span class="nv">$IPTABLES</span> -A INPUT -p udp --dport <span class="m">21546</span> -j ACCEPT
<span class="c1"># zeronet</span>
<span class="nv">$IPTABLES</span> -A INPUT -p tcp --dport <span class="m">15441</span> -j ACCEPT
<span class="c1">#Allow Establishted Sessions</span>
<span class="nv">$IPTABLES</span> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<span class="c1">#loopback</span>
<span class="nv">$IPTABLES</span> -A INPUT -i lo -j ACCEPT
<span class="nv">$IPTABLES</span> -A OUTPUT -o lo -j ACCEPT
<span class="o">}</span>
<span class="k">function</span> IPv4Rules <span class="o">{</span>
<span class="c1"># SSH and Mosh</span>
<span class="nv">$IPTABLES</span> <span class="se">\</span>
-A INPUT <span class="se">\</span>
-p tcp <span class="se">\</span>
-s <span class="nv">$MichaelHome</span>,<span class="nv">$TienHome</span>,<span class="nv">$WorkNetwork</span> <span class="se">\</span>
--dport <span class="m">22</span> <span class="se">\</span>
-j ACCEPT
<span class="nv">$IPTABLES</span> <span class="se">\</span>
-A INPUT <span class="se">\</span>
-p udp <span class="se">\</span>
-s <span class="nv">$MichaelHome</span>,<span class="nv">$TienHome</span>,<span class="nv">$WorkNetwork</span> <span class="se">\</span>
--dport <span class="m">60000</span>:60010 <span class="se">\</span>
-j ACCEPT
<span class="o">}</span>
<span class="k">function</span> IPv6Rules <span class="o">{</span>
<span class="c1"># SSH and Mosh</span>
<span class="nv">$IPTABLES</span> <span class="se">\</span>
-A INPUT <span class="se">\</span>
-p tcp <span class="se">\</span>
-s <span class="nv">$MichaelHomeV6</span> <span class="se">\</span>
--dport <span class="m">22</span> <span class="se">\</span>
-j ACCEPT
<span class="nv">$IPTABLES</span> <span class="se">\</span>
-A INPUT <span class="se">\</span>
-p udp <span class="se">\</span>
-s <span class="nv">$MichaelHomeV6</span> <span class="se">\</span>
--dport <span class="m">60000</span>:60010 <span class="se">\</span>
-j ACCEPT
<span class="o">}</span>
<span class="c1">#Run general rules for both IPv4 and IPv6</span>
<span class="nv">IPTABLES</span><span class="o">=</span>/sbin/iptables
GeneralRules
IPv4Rules
<span class="nv">IPTABLES</span><span class="o">=</span>/sbin/ip6tables
GeneralRules
IPv6Rules
<span class="c1">#DHCP</span>
<span class="nv">$IPTABLES</span> -A INPUT -p udp --dport <span class="m">546</span> -j ACCEPT
<span class="nv">$IPTABLES</span> -A INPUT -p icmpv6 -j ACCEPT
</code></pre></div>pip changing from pep8 to pycodestyle2017-02-02T07:00:00+08:002017-02-02T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-02-02:/pip-changing-from-pep8-to-pycodestyle.html<p>I recently updated one of the packages in <a href="https://atom.io/">Atom</a> that was called <code>linter-pep8</code> to version 2.0 which was renamed to <a href="https://atom.io/packages/linter-pycodestyle"><code>linter-pycodestyle</code></a>. This is because <a href="https://pypi.python.org/pypi/pep8">PEP8 the package</a> was renamed to <a href="https://pypi.python.org/pypi/pycodestyle">pycodestyle</a> to reduse confusion between the package and the <a href="https://www.python.org/dev/peps/pep-0008/">PEP8 the specification</a>.</p>
<p>However after I opened Atom I got …</p><p>I recently updated one of the packages in <a href="https://atom.io/">Atom</a> that was called <code>linter-pep8</code> to version 2.0 which was renamed to <a href="https://atom.io/packages/linter-pycodestyle"><code>linter-pycodestyle</code></a>. This is because <a href="https://pypi.python.org/pypi/pep8">PEP8 the package</a> was renamed to <a href="https://pypi.python.org/pypi/pycodestyle">pycodestyle</a> to reduse confusion between the package and the <a href="https://www.python.org/dev/peps/pep-0008/">PEP8 the specification</a>.</p>
<p>However after I opened Atom I got an error message <code>Error: spawn pycodestyle ENOENT</code></p>
<p><img alt="Error: spawn pycodestyle ENOENT" src="https://xo.tc/images/error-spawning-pycodestyle-enoent.png"></p>
<p>because I hadn't upgraded the python package. As I wasn't using PEP8 for anything else I uninstalled it and installed pycodestyle. On windows I'd installed Python 3.6 x64 for all users so it was Python was installed <code>C:\Program Files\Python36\</code></p>
<div class="highlight"><pre><span></span><code>"C:\Program Files\Python36\Scripts\pip.exe" uninstall pep8
"C:\Program Files\Python36\Scripts\pip.exe" install pycodestyle
</code></pre></div>
<p>on Linux<sup id="fnref:linux"><a class="footnote-ref" href="#fn:linux">1</a></sup> pip was in my <code>PATH</code> environment varable so I simply ran</p>
<div class="highlight"><pre><span></span><code>sudo pip uninstall pep8
sudo pip install pycodestyle
</code></pre></div>
<p>And that fixed up my issues.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:linux">
<p>In my case that was Arch Linux and Debian Jessie. <a class="footnote-backref" href="#fnref:linux" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Failing Loudly2017-01-26T07:00:00+08:002017-01-26T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-01-26:/failing-loudly.html<p>There is a concept in IT called 'failing loudly' as opposed to 'failing silently'. The idea is when something goes wrong it should be obvious and generally everything should come to a halt instead of trying to carry on with errors.</p>
<p>An example of this is running a REST API …</p><p>There is a concept in IT called 'failing loudly' as opposed to 'failing silently'. The idea is when something goes wrong it should be obvious and generally everything should come to a halt instead of trying to carry on with errors.</p>
<p>An example of this is running a REST API and only opening port 443, but leaving port 80 is closed. Connections are either secure or don't work at all.</p>
<p>There was a change with systemd where if the <code>/etc/fstab</code> files had errors in it, the system would hang at boot forever until some sort of user input fixed the issues. The previous behaviour was to simply show an error while booting but continue on regardless. The systemd argument was that it's better not to boot at all than to boot into a broken state, such as with a hard drive missing and potentially lose data.</p>
<p>As with every design approach it has it's place, it's not always the appropriate way to do things. It comes down to what you want to prioritizes. But I think it's very appropriate for things which need good security.</p>Expiry dates on smart phones and other IoT devices2017-01-19T07:00:00+08:002017-01-19T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-01-19:/expiry-dates-on-smart-phones-and-other-iot-devices.html<p>A while ago someone<sup id="fnref:someone"><a class="footnote-ref" href="#fn:someone">1</a></sup> suggested the idea of putting an expiry date on smart phones. The idea was that when manufacturing a device the company would have to commit to pushing out fixes to any <a href="https://cve.mitre.org/">CVEs</a> that come up until the given date. So when buying a phone there …</p><p>A while ago someone<sup id="fnref:someone"><a class="footnote-ref" href="#fn:someone">1</a></sup> suggested the idea of putting an expiry date on smart phones. The idea was that when manufacturing a device the company would have to commit to pushing out fixes to any <a href="https://cve.mitre.org/">CVEs</a> that come up until the given date. So when buying a phone there would be an expiry date printed on the packageing and consumer could be sure of reciving a supported product until that time.</p>
<p>After the <a href="https://en.wikipedia.org/wiki/Mirai_%28malware%29">Mirai botnet</a> struck there was a lot of discussion around what to do about the Internet of Things (IoT) threat. Bruce Schneier <a href="https://www.schneier.com/blog/archives/2016/10/security_econom_1.html">wrote</a> that it was</p>
<blockquote>
<p>a market failure that can't get fixed on its own.</p>
</blockquote>
<p>and that it needed some sort of government intervention to fix. I tend to agree with his analysis, there is little to no incentive for vendors to fix the bugs in some internet connected smart toaster. Most consumers don't care if their $20 toaster has been hacked and used to DDoS some website, so long as it sill makes toast. And most vendors of IoT stuff don't have long product cycles and certanly don't budget the time and resources to fix things two years after they have been sold.</p>
<p>The aproach I'd take<sup id="fnref:my-aproach"><a class="footnote-ref" href="#fn:my-aproach">2</a></sup> to fixing the IoT threat would be to introduce manditory expiry dates for internet connected things. This wouldn't mean consumers couldn't continue to use them after the expiry date, just that the manufacturers must fix issues with products that have not expired and vendors can't sell expired items. It could be on some sort of sliding scale so things like internet connected washing machines might be 5 years while phones might only be 2 years. A bit like a manufacturer's warranty.</p>
<p>I'd introduce some sort of certification, a minimum security standard that devices need to conform to. This would be pretty simple check box security but it would be good base line. Things like the device must have some sort of automatic update process so that when things do go wrong, they can be fixed. And the update process should check the updates are signed.</p>
<p>I'd also heavily push some standard environments, things like Raspberry Pi's running <a href="https://www.raspberrypi.org/downloads/raspbian/">Raspbian</a> and <a href="https://developer.microsoft.com/en-us/windows/iot">Windows 10 for IoT</a><sup id="fnref:Windows"><a class="footnote-ref" href="#fn:Windows">3</a></sup>. This would make certification easier because the base environment could already be certified and could make best practice easier and shooting yourself in the foot harder.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:someone">
<p>After a fair amount of searching I still can't find the original source but I'm pretty sure it was a comment on an LWN article about a horrible android bug (possibly libstagefright) where I first came across the idea. <a class="footnote-backref" href="#fnref:someone" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:my-aproach">
<p>Let's just pretend we live in a fantasy world here where governments could move quickly and cooperate, and import and export regulations could actually be applied to things like $13 internet connected light bulbs for sale on eBay. <a class="footnote-backref" href="#fnref:my-aproach" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:Windows">
<p>I think diversity is important and I'd like to see at least 3 or 4 base platforms. If nothing else so you don't get one bug that just ripps through all devices. <a class="footnote-backref" href="#fnref:Windows" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Submission to the Attorney-general's Department - Access to telecommunications data in civil proceedings2017-01-12T00:00:00+08:002017-01-12T00:00:00+08:00Michael Van Delfttag:xo.tc,2017-01-12:/submission-to-the-attorney-generals-department-access-to-telecommunications-data-in-civil-proceedings.html<p>On the 21st of December 2016, the Attorney-general's Department <a href="https://www.ag.gov.au/Consultations/Pages/Access-to-telecommunications-data-in-civil-proceedings.aspx">requested</a> submissions regarding the use of telecommunications data held by a service provider solely for the purpose of complying with the <a href="https://www.ag.gov.au/dataretention">mandatory data retention regime</a> in civil litigation. The original closure date for submission was the 13th of January but it's …</p><p>On the 21st of December 2016, the Attorney-general's Department <a href="https://www.ag.gov.au/Consultations/Pages/Access-to-telecommunications-data-in-civil-proceedings.aspx">requested</a> submissions regarding the use of telecommunications data held by a service provider solely for the purpose of complying with the <a href="https://www.ag.gov.au/dataretention">mandatory data retention regime</a> in civil litigation. The original closure date for submission was the 13th of January but it's been moved back to Friday the 27th January.</p>
<p>The following is an open letter I'm making as a Submission to Attorney-general's Department, I'd encourage others to use it as a template and make their own submissions. Also avalible as a <a href="https://xo.tc/submission-on-metadata-usage-in-civil-litigation.odt">LibreOffice</a> and a <a href="https://xo.tc/submission-on-metadata-usage-in-civil-litigation.pdf">pdf</a> versions.</p>
<hr>
<p>Retained data in civil proceedings consultation<br>
Communications Security Branch<br>
Attorney-General's Department<br>
3-5 National Circuit<br>
BARTON ACT 2600 </p>
<p><strong>Submission against the use of telecommunications data held by a service provider solely for the purpose of complying with the mandatory data retention regime in any civil litigation</strong></p>
<p>When mandatory metadata retention laws were first announced several people and high profile organisations raised concerns about the storage and use of this incredible amount of very personal data being kept on all Australians. However the laws were ushered through under the guise of national security. It was claimed that stronger powers were needed to protect Australia from terrorism<sup id="fnref:terrorism"><a class="footnote-ref" href="#fn:terrorism">1</a></sup> and that this huge expansion of law enforcement capabilities would be used by intelligence agencies to fight Islamic State<sup id="fnref:one-more-antiterror-tool"><a class="footnote-ref" href="#fn:one-more-antiterror-tool">2</a></sup>.</p>
<p>The metadata facts sheet<sup id="fnref:data-retention-facts"><a class="footnote-ref" href="#fn:data-retention-facts">3</a></sup> released by the Attorney-general's Department says that</p>
<blockquote>
<p>Metadata is vital to nearly every counter-terrorism, organised crime, counter-espionage and cyber-security investigation. It is used in almost every serious criminal investigation, including murder, sexual assault, child exploitation and kidnapping.</p>
</blockquote>
<p>However from the day mandatory data retention was introduced it was feared that this information, described in an opinion piece by George Brandis titled "One more anti-terror tool" as being "vital to investigate terrorism and organised crime."<sup id="fnref2:one-more-antiterror-tool"><a class="footnote-ref" href="#fn:one-more-antiterror-tool">2</a></sup> would instead be subject to mission creep. Many predicted that metadata kept solely for the purpose of complying with the mandatory data retention regime would go from a tool only to be used in "serious criminal investigation" to a source of information for petty crimes and civil litigation.</p>
<p>In the Consultation Paper it is mentioned that</p>
<blockquote>
<p>In the course of the Committee’s inquiry into the Bill, a number of submissions expressed concerns that retained telecommunications data would be able to be accessed by parties to civil proceedings.</p>
<p>In its Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Committee recommended that the Bill ‘be amended to
prohibit civil litigants from being able to access telecommunications data that is held by a service provider solely for the purpose of complying with the mandatory data retention
regime.’</p>
</blockquote>
<p>I find it particularly worrying that the question on the Data Retention FAQs that talked about use in copyright enforcement has now been removed, previously<sup id="fnref:previously"><a class="footnote-ref" href="#fn:previously">4</a></sup> it said:</p>
<blockquote>
<p><strong>Will data retention be used for copyright enforcement?</strong></p>
<p>The Telecommunications (Interception and Access) Act 1979 only allows access for limited purposes,
such as criminal law enforcement matters. Breach of copyright is generally a civil law wrong.
The Act will preclude access to telecommunications data retained solely for the purpose of
complying with the mandatory data retention scheme for the purposes of civil litigation.</p>
</blockquote>
<p>and I fear that a tool which was originally introduced to fight terrorism will now become a tool of large private media organisation perusing copyright violations.</p>
<p>In regards to the question 3;</p>
<blockquote>
<p>Are there particular kinds of civil proceedings or circumstances in which the prohibition in section 280(1B) of the Telecommunications Act 1997 should not apply?</p>
</blockquote>
<p>I believe the answer should be a strong and firm "No, the prohibition in section 280(1B) of the Telecommunications Act 1997 should apply to all types of civil proceedings". We should be looking to strengthen our controls and protections around this data not to weaken them.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:terrorism">
<p>ABC the 730 Report <a href="http://www.abc.net.au/7.30/content/2015/s4184359.htm">'Democracies must be on front foot' says George Brandis as Government prepares new laws</a> <a class="footnote-backref" href="#fnref:terrorism" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:one-more-antiterror-tool">
<p>The Australian <a href="http://www.theaustralian.com.au/opinion/one-more-antiterror-tool/news-story/b9f48192069443268dec2dfcb04870c5">One more anti-terror tool</a> <a class="footnote-backref" href="#fnref:one-more-antiterror-tool" title="Jump back to footnote 2 in the text">↩</a><a class="footnote-backref" href="#fnref2:one-more-antiterror-tool" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:data-retention-facts">
<p>The Attorney-general's Department <a href="https://www.ag.gov.au/NationalSecurity/DataRetention/Documents/KeepingourcommunitysafeFactsheet.pdf">Data retention facts</a> <a class="footnote-backref" href="#fnref:data-retention-facts" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:previously">
<p>Snapshot of the FAQs on archive.org from <a href="http://web.archive.org/web/20160428205854/https://www.ag.gov.au/NationalSecurity/DataRetention/Pages/Frequentlyaskedquestions.aspx#RetentionCopyright">28/04/2016</a> and the <a href="https://www.ag.gov.au/NationalSecurity/DataRetention/Pages/Frequentlyaskedquestions.aspx">current version</a> <a class="footnote-backref" href="#fnref:previously" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>Thinking about how to defend against the PoisonTap2017-01-05T07:00:00+08:002017-01-05T07:00:00+08:00Michael Van Delfttag:xo.tc,2017-01-05:/thinking-about-how-to-defend-against-the-poisontap.html<p>Recently the Samy Kamkar has come out with a device called a <a href="https://samy.pl/poisontap/">PoisonTap</a>, a few months before that Mubix was <a href="https://room362.com/post/2016/snagging-creds-from-locked-machines/">talking about</a> getting credentials from a locked computer with the <a href="https://lanturtle.com/">LAN Turtle</a>.</p>
<p>Both these attacks exploit the same underlying issue which is that most operating systems (Windows, Linux<sup id="fnref:linux"><a class="footnote-ref" href="#fn:linux">1</a></sup> and …</p><p>Recently the Samy Kamkar has come out with a device called a <a href="https://samy.pl/poisontap/">PoisonTap</a>, a few months before that Mubix was <a href="https://room362.com/post/2016/snagging-creds-from-locked-machines/">talking about</a> getting credentials from a locked computer with the <a href="https://lanturtle.com/">LAN Turtle</a>.</p>
<p>Both these attacks exploit the same underlying issue which is that most operating systems (Windows, Linux<sup id="fnref:linux"><a class="footnote-ref" href="#fn:linux">1</a></sup> and OSX) will automatically trust a USB network when it's attached and start sending data over it.</p>
<p>I've been thinking a lot about how we as the IT Security Community can defend against these sorts of attacks.</p>
<p>The most obvious idea that springs to mind is to issue the user with some sort of popup "New network detected, do you want to connect?" but there are a few issues with that.</p>
<p>The first is that it's a horrible user experience (UX) because 99.9% of the time the answer will be "Yes" ... "Why do you think I plugged in my usb 4g dongle if I didn't want to use it!?".</p>
<p>The second is that sometimes you need the network to start working before you can login. A few years ago I worked at a high school we used RADIUS to secure our WiFi. Students could connect with their domain credentials. We had shared laptops in the school library but the laptops couldn't authenticate with the RADIUS server until students had logged in, but students couldn't login to the laptops without network. This will likely only get worse, with devices like <a href="https://www.google.com/chromebook/about/">Chromebooks</a> and Windows 10 pushing Microsoft accounts pretty hard.</p>
<p>The defences that PoisonTap jokingly <a href="https://samy.pl/poisontap/#toc_11">suggest for desktop security</a> are funny but impractical such as</p>
<blockquote>
<p>Adding cement to your USB and Thunderbolt ports can be effective</p>
</blockquote>
<p>In the end I don't really think there is any good client side defence for these sorts of attacks. Instead I think it needs to be at the protocol level, we need to bake security in by default. Things saying browsers vendors saying we will only support HTTP/2 <a href="https://en.wikipedia.org/wiki/HTTP/2#Encryption">if it's encrypted</a>.</p>
<p>We should demand encryption in any new protocol and systems susceptible to passive monitoring should be treated as a vulnerable and rejected. It might be a long an painful journey but I can imagine an internet where all communications are secure by default.</p>
<p>I always though it was disappointing that IPv6 didn't make encryption mandatory it would have been great to have security built right in at the <a href="https://en.wikipedia.org/wiki/Internet_layer">Internet layer</a>. </p>
<div class="footnote">
<hr>
<ol>
<li id="fn:linux">
<p>There are hundreds of distributions but, when I say "Linux" I mean mainstream distributions like Debian / Ubuntu / Red Hat / Fedora with their default settings. <a class="footnote-backref" href="#fnref:linux" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Fixing no valid mx hosts found2016-12-29T07:00:00+08:002016-12-29T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-12-29:/fixing-no-valid-mx-hosts-found.html<p>I've been hosting my own email on this domain for just over a year now and I hadn't noticed any problems until a couple of days ago a German friend of mine using <a href="https://www.gmx.net/">GMX</a> tired to send me an email and it bounced back with the error message "no valid …</p><p>I've been hosting my own email on this domain for just over a year now and I hadn't noticed any problems until a couple of days ago a German friend of mine using <a href="https://www.gmx.net/">GMX</a> tired to send me an email and it bounced back with the error message "no valid mx hosts found".</p>
<p>It turns out that according to <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a></p>
<blockquote>
<p>a MX resource record must not be an alias.</p>
</blockquote>
<p>I had mail.xo.tc setup as my mx record</p>
<p><img alt="DNS Made Easy MX record" src="https://xo.tc/images/no-valid-mx-mx-record.png"></p>
<p>And then because everything is running off this one server I had mail as a CNAME.</p>
<p><img alt="mail as a CNAME" src="https://xo.tc/images/no-valid-mx-cname.png"></p>
<p>I deleted the CNAME and added in an A and AAAA record and that fixed the issue.</p>
<p><img alt="New A and AAAA record" src="https://xo.tc/images/no-valid-mx-a-and-aaaa-record.png"></p>
<p>Now I can receive emails from gmx.de and I'm RFC compliant.</p>Upgrading from Piwik 2.17.1 to Piwik 3.0.02016-12-22T07:00:00+08:002016-12-22T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-12-22:/upgrading-from-piwik-2171-to-piwik-300.html<p>Piwik have just <a href="https://piwik.org/changelog/piwik-3-0-0/">announced</a> the release of Piwik 3.0 and I was excited to try it out. I've been running Piwik on this site for just over a year. I like <a href="https://piwik.org/">Piwik</a> because it allows me to run analytics<sup id="fnref:analytics"><a class="footnote-ref" href="#fn:analytics">1</a></sup> on this site while respecting users <a href="http://piwik.org/privacy/">privacy</a>, giving users …</p><p>Piwik have just <a href="https://piwik.org/changelog/piwik-3-0-0/">announced</a> the release of Piwik 3.0 and I was excited to try it out. I've been running Piwik on this site for just over a year. I like <a href="https://piwik.org/">Piwik</a> because it allows me to run analytics<sup id="fnref:analytics"><a class="footnote-ref" href="#fn:analytics">1</a></sup> on this site while respecting users <a href="http://piwik.org/privacy/">privacy</a>, giving users the option to <a href="http://donottrack.us/">opt-out</a><sup id="fnref:opt-out"><a class="footnote-ref" href="#fn:opt-out">2</a></sup> of tracking and it means I don't share their data with a 3rd party like Google. </p>
<p>The upgrade was fairly seamless.</p>
<p>When I logged in there was a notification saying an update was available.</p>
<p><img alt="New update avalible" src="https://xo.tc/images/piwik-update-1-new-update-avalible.png"></p>
<p>I clicked on the update link to update and selected "Update Automatically"</p>
<p><img alt="Update automatically" src="https://xo.tc/images/piwik-update-2-new-version-of-piwik.png"></p>
<p>After about 10 seconds I got a message saying the update was successful</p>
<p><img alt="Update successfull" src="https://xo.tc/images/piwik-update-3-sucessfull.png"></p>
<p>Then I had to upgrade the database, as this is a very low traffic site I decided to upgrade in the browser</p>
<p><img alt="Database upgrade" src="https://xo.tc/images/piwik-update-4-database.png"></p>
<p>The update finished and I continued on to piwki</p>
<p><img alt="Upgrade finished" src="https://xo.tc/images/piwik-update-5-upgrade-finished.png"></p>
<p>Only when I reloaded the page I was getting 500 server errors</p>
<p><img alt="Piwik 500 Server error" src="https://xo.tc/images/piwik-update-6-500-server-error.png"></p>
<p>Looking in <code>/var/log/apache2/error.log</code> I saw a number of errors saying:</p>
<div class="highlight"><pre><span></span><code><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">html</span><span class="o">/</span><span class="n">piwik</span><span class="o">/</span><span class="n">plugins</span><span class="o">/.</span><span class="n">htaccess</span><span class="p">:</span> <span class="n">Options</span> <span class="ow">not</span> <span class="n">allowed</span> <span class="n">here</span>
</code></pre></div>
<p>I found that the <code>.htaccess</code> file in the plugins directory had a line at the end</p>
<div class="highlight"><pre><span></span><code>Options -Indexes
</code></pre></div>
<p>That line stops people getting a directory listing of the files in the plugins folder, so it's an important security feature.</p>
<p>I edited my apache2 config and changed my <code>AllowOverride</code> setting from</p>
<div class="highlight"><pre><span></span><code><span class="nt"><Directory</span> <span class="err">/var/www/html/piwik</span><span class="nt">></span>
AllowOverride FileInfo Limit AuthConfig
<span class="nt"></Directory></span>
</code></pre></div>
<p>to</p>
<div class="highlight"><pre><span></span><code><span class="nt"><Directory</span> <span class="err">/var/www/html/piwik</span><span class="nt">></span>
AllowOverride FileInfo Limit AuthConfig Options=Indexes
<span class="nt"></Directory></span>
</code></pre></div>
<p>After that Piwik loaded up with no erros.</p>
<p><img alt="Piwik 3.0 new sign in page" src="https://xo.tc/images/piwik-update-7-new-signin-page.png"></p>
<p>I've had a bit of a play with it and I think the new dashboard looks nice.</p>
<p><img alt="Piwik 3.0 new dashboard" src="https://xo.tc/images/piwik-update-8-new-dashboard.png"></p>
<p>One of the features I've been tracking and looking forward it is the change from <code>md5</code> hashes to <code>bcrypt</code> so it's great to see that's <a href="https://github.com/piwik/piwik/issues/5728">landed</a> in the 3.0 release.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:analytics">
<p>If pushed, I'd have to begrudgingly admit that it's more about self validation than any technical usefulness of the data. <a class="footnote-backref" href="#fnref:analytics" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:opt-out">
<p>It would be better if all web analytics were opt-in, but that's not how the world seems to work. <a class="footnote-backref" href="#fnref:opt-out" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Is patching still the best defence2016-12-15T07:00:00+08:002016-12-15T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-12-15:/is-patching-still-the-best-defence.html<p>One of the nice things about the ASD's <a href="http://www.asd.gov.au/infosec/mitigationstrategies.htm">Strategies to mitigate Targed Cyber Intrusoions</a> is that they rank them by effectiveness. Saying that their top four would prevent 85% of intrusions.</p>
<p>Their top four are:</p>
<ol>
<li>Application Whitelisting.</li>
<li>Patching Applications.</li>
<li>Patching Operating System Vulnerabilities.</li>
<li>Restrict Administrative privileges.</li>
</ol>
<p>Patching is two out …</p><p>One of the nice things about the ASD's <a href="http://www.asd.gov.au/infosec/mitigationstrategies.htm">Strategies to mitigate Targed Cyber Intrusoions</a> is that they rank them by effectiveness. Saying that their top four would prevent 85% of intrusions.</p>
<p>Their top four are:</p>
<ol>
<li>Application Whitelisting.</li>
<li>Patching Applications.</li>
<li>Patching Operating System Vulnerabilities.</li>
<li>Restrict Administrative privileges.</li>
</ol>
<p>Patching is two out of the top four recommendations and has long viewed by many IT Security professionals, <a href="https://xo.tc/automatic-updates-for-debian.html">my self included</a> as one of the easiest things to do that gets you the best bang for your buck.</p>
<p>I was at a meeting recently where someone said an exploit had not been used against their network in about 6 months. The implication was that a huge percentage of malware these days is delivered as an .exe in a zip file from an email <a href="https://xo.tc/tracking-a-spam-campagn.html">claiming to be a traffic infringement</a> or something similar. Suggesting that patching is no longer the easiest win for IT Security.</p>
<p>I'm not entirely convinced that exploits are no longer being used, I think there are plenty of hacked sites and malvertising campaigns that take advantage of unpatched browsers or out of date applications like flash. But I can see a bit of a shift from using exploits to infect computers to simply sending a trojan or a phishing email and relying on tricking users.</p>Tracking a spam campagn2016-12-08T07:00:00+08:002016-12-08T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-12-08:/tracking-a-spam-campagn.html<p>At work yesterday we got a couple of phishing email claiming to be traffic infringements, nothing too remarkable about that. But interestingly this time the links in the emails to <a href="https://bitly.com/">Bitly</a>, a url shortener service that redirects traffic instead of going directly to some hacked site hosting malware.</p>
<p>With Bitly …</p><p>At work yesterday we got a couple of phishing email claiming to be traffic infringements, nothing too remarkable about that. But interestingly this time the links in the emails to <a href="https://bitly.com/">Bitly</a>, a url shortener service that redirects traffic instead of going directly to some hacked site hosting malware.</p>
<p>With Bitly URLs you can simply put a + sign on the end of any link it will take you to a page of statistics rather than redirect you. The URLs from the phishing emails (with a plus sign added) were:</p>
<p><a href="https://bitly.com/2h3aFul+">https://bitly.com/2h3aFul+</a>
<img alt="bitly link 2h3aFul" src="https://xo.tc/images/bitly-2h3aFul.png"></p>
<p>and <a href="https://bitly.com/2gh3gXg+">https://bitly.com/2gh3gXg+</a>
<img alt="bitly link 2gh3gXg" src="https://xo.tc/images/bitly-2gh3gXg.png"></p>
<p>We can see the first time either link was followed was around 21:00UTC wich is 05:00 AWST (Western Australia time) and it dies off pretty quickly suggesting that these campaigns move from one URL to another very quicly rather than spamming out the same URL all day<sup id="fnref:all-day"><a class="footnote-ref" href="#fn:all-day">1</a></sup>. It also shows that most traffic is from Australia which you would expect given that the was claiming to be an infringement form the West Australia Police.</p>
<p>Most of the traffic is direct access, this not surprising seeing that people are coming from email rather than another source such as twitter. Although there is a fair amount coming from localhost:5272. I’m not sure what that is, but a quick google search suggest it’s Xeams spam filter is following links in emails to check if they are malicious.</p>
<p>The spoofed address this came from was infringement@data.gov.au, I'd be guessing they picked that one because it looks almost legitimate and data.gov.au doesn't have dmarc or even an SPF record<sup id="fnref:SPF-Record"><a class="footnote-ref" href="#fn:SPF-Record">2</a></sup>. I was also surprised to find that in the footer of the email, the links were not malicious. There was one to the about West Australian Police and it really pointed to the about West Australian Police page. It was just in the body of the email that there were malicious links.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:all-day">
<p>It's posible that the spammers have setup their campaign to send emails early in the morning for their target timezone. I remember hearing from a legitimate (double opt-in) email marketing group that first thing in the morning was the most effective time to send emails because it will be a the top of people inbox as they are having their morning coffee. <a class="footnote-backref" href="#fnref:all-day" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:SPF-Record">
<p>I was really surprised to find that, I know a couple of the folks that helped set it up and they were pretty switched on types. <a class="footnote-backref" href="#fnref:SPF-Record" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Automatic Updates for Debian2016-12-01T07:00:00+08:002016-12-01T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-12-01:/automatic-updates-for-debian.html<p>Good security is about defence in depth, layers of security. There is no one thing that will make you secure but one of the easiest things to do that gets you the best bang for your buck is patching your software.</p>
<p>On windows this is called Automatic Updates, in Debian …</p><p>Good security is about defence in depth, layers of security. There is no one thing that will make you secure but one of the easiest things to do that gets you the best bang for your buck is patching your software.</p>
<p>On windows this is called Automatic Updates, in Debian it's called Unattended Upgrades but it's essentially the same thing. There is an <a href="https://wiki.debian.org/UnattendedUpgrades">Unattended Upgrades page</a> on the Debian wiki that is pretty good. Enabling updates basicly boils down to:</p>
<div class="highlight"><pre><span></span><code>sudo apt-get install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades
vim /etc/apt/apt.conf.d/50unattended-upgrades
<span class="c1"># Edit line 71 to send emails to a monitored address</span>
</code></pre></div>
<p>If your current update strategy is to SSH into boxes and run <code>sudo apt-get update && sudo apt-get dist-upgrade</code> whenever you remember then you should look automating it with unattended upgrades. Of course a full dev > test > production patch cycle is best for large mission critical things but for small setups like the one box that runs this website unattended upgrades are perfect.</p>The struggle with apathy2016-11-24T07:00:00+08:002016-11-24T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-11-24:/the-struggle-with-apathy.html<p>I like many people struggle<sup id="fnref:struggle"><a class="footnote-ref" href="#fn:struggle">1</a></sup> with apathy, it's not that I'm depressed or that I don't find enjoyment in doing things. I still get that hacker like thirst for knowledge, that need to solve a problem or to understand what makes something tick. But sometimes I think it would …</p><p>I like many people struggle<sup id="fnref:struggle"><a class="footnote-ref" href="#fn:struggle">1</a></sup> with apathy, it's not that I'm depressed or that I don't find enjoyment in doing things. I still get that hacker like thirst for knowledge, that need to solve a problem or to understand what makes something tick. But sometimes I think it would be so easy to spend a whole day on the couch just watching <a href="http://watchtheguild.com/">weak sitcoms</a> and eating <a href="https://en.wikipedia.org/wiki/Cheezels">Cheezels</a>, I could pass a lot of time watching <a href="https://www.youtube.com/watch?v=tG7hYnMyxyY">funny YouTube videos</a>.</p>
<p>One of the reasons I update this blog with a new post published at the same time every week is that I've made a commitment to my self, a schedule that I can stick to, a dead line that I need to meet. If I just updated this blog on an adhoc basis whenever I was in the mood I'd probably have about 4 post on here. It's not that I don't enjoy writing posts but that without some self imposed pressure I'd never get done.</p>
<p>Generally when I see self help style things that are meant to be motivational they seem sickly sweet to me and put my right off. If you search <a href="https://www.google.com.au/search?q=positive%20motivational&tbm=isch">positive motivational</a> on Google and seeing things like "Choosing to be positive and having a grateful attitude is going to determine how you're going to live your life." and that makes you feel good, and it helps you achieve your goals that's awesome! Good for you.<sup id="fnref:poes-law"><a class="footnote-ref" href="#fn:poes-law">2</a></sup></p>
<p>But for me it makes me feel a little nauseous. I don't really know how to explain, but the closest I can get is: It's like it's too happy to the point where it feels fake, and fake happiness feels worse than just feeling neutral.</p>
<p>Yan Zhu wrote an good <a href="https://diracdeltas.github.io/blog/thoughts-on-cypherpunks-2-0/">post about apathy</a>.</p>
<p>But there are some motivational things that I like;</p>
<p>Matt Grey and Tom Scott recently did a bit on how they manage to do so much stuff, the whole video is pretty decent but there is a bit where <a href="https://youtu.be/mz347Y9iXBY?t=2m14s">Tom says</a> "Find someone who you can't let down". I like that, it could be a friend, family or or whatever but if you feel like you will disappoint or inconvenience someone you care about by not doing something they you're more likely to make the effort to do it.</p>
<p>I like goals that are very specific, attainable and very easy to evaluate. Now I know that has a faint whiff of bovine manure, but what I mean by that is don't say "I'd like to learn to use Metasploit". That's way too open ended and it won't happen. What does it mean to 'use'? to what level of proficiency? by when? how will you know when you can 'use Metasploit' well enough. Instead be very, very specific, say "I'm going to finish one chapter of <a href="https://www.nostarch.com/metasploit">this book on Metasploit</a> every week for the next 17 weeks, I'll do it by doing an hours study every Sunday between 10:00 and 11:00 and if something comes up I'll move my hours study to Wednesday nights." That's much more achievable and you will know if you have failed or succeeded.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:struggle">
<p>Struggle may be too strong a word, I was going to call this post 'The war on apathy' which is a much snappier title. But I have a strong objection to people declaring 'war' on everything. So I spent some time on <a href="http://www.thesaurus.com/">thesaurus.com</a> and eventually gave up and went with struggle because I couldn't be bothered looking any more. The irony of that is not lost on me. <a class="footnote-backref" href="#fnref:struggle" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:poes-law">
<p>Incase your <a href="https://en.wikipedia.org/wiki/Poe%27s_law">unsure</a>, I mean that sincerely. We are not all the same and what works for one person doesn't for another. If those motivational posters are for you, then that's great. <a class="footnote-backref" href="#fnref:poes-law" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>How to tunnel data over DNS2016-11-17T07:00:00+08:002016-11-17T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-11-17:/how-to-tunnel-data-over-dns.html<p>A while ago I wrote a post on <a href="https://xo.tc/tunneling-data-over-dns.html">tunneling data over DNS</a> that was a technical explanation of what's going on. This post is a tutorial on how to setup a DNS tunnel with <a href="http://code.kryo.se/iodine/">iodine</a>.</p>
<p>I'm using <a href="https://dnsmadeeasy.com/">DNS Made Easy</a> as my main DNS provider, Debian on an EC2 for …</p><p>A while ago I wrote a post on <a href="https://xo.tc/tunneling-data-over-dns.html">tunneling data over DNS</a> that was a technical explanation of what's going on. This post is a tutorial on how to setup a DNS tunnel with <a href="http://code.kryo.se/iodine/">iodine</a>.</p>
<p>I'm using <a href="https://dnsmadeeasy.com/">DNS Made Easy</a> as my main DNS provider, Debian on an EC2 for the DNS server, and Arch Linux and Windows as the client. I haven't tried this on other setups but it should be more or less the same.</p>
<h2>Setting up the server</h2>
<p>Start a t2.micro EC2<sup id="fnref:ec2"><a class="footnote-ref" href="#fn:ec2">1</a></sup> running Debian, updated all the packages and reboot<sup id="fnref:reboot"><a class="footnote-ref" href="#fn:reboot">2</a></sup>.</p>
<div class="highlight"><pre><span></span><code>sudo apt-get update <span class="o">&&</span> sudo apt-get dist-upgrade <span class="o">&&</span> sudo reboot
</code></pre></div>
<p>Then install iodine</p>
<div class="highlight"><pre><span></span><code>sudo apt-get install iodine
</code></pre></div>
<p>Setup the domain name to use for the tunnel, in my case I used tunnel.xo.tc. I created a sub-domain and delegated it to a DNS servers called tunnel-ns1.xo.tc.</p>
<p>In DNS Made easy go to NS Records and hit the Add button.</p>
<p><img alt="Adding an NS Record" src="https://xo.tc/images/dns-tunnel-add-ns-record.png"></p>
<p>Next we need to setup the A record for the name server we have specified.</p>
<p><img alt="Adding an A Record" src="https://xo.tc/images/dns-tunnel-add-a-record.png"></p>
<p>Then on the EC2 server</p>
<div class="highlight"><pre><span></span><code>sudo iodined -f <span class="m">10</span>.73.72.1 -c tunnel.xo.tc
</code></pre></div>
<ul>
<li><code>-f</code> Keeps iodined running on the forground, it's not nessacery but it makes it easier to stop and start.</li>
<li><code>10.73.72.1</code> is the local network that iodine will create. Use an address that is not on your LAN.</li>
<li><code>-c</code> Disables checking of the client IP address, you will only need it if your DNS queries are getting routed through a cluster of DNS servers and so your traffic will be coming from diffrent IP addresses.</li>
<li><code>tunnel.xo.tc</code> is the domain to use as a tunnel.</li>
</ul>
<p>Check your server is working with <a href="http://code.kryo.se/iodine/check-it/">iodine check tool</a></p>
<h2>Arch Linux Client</h2>
<p>On the client (Arch Linux)</p>
<div class="highlight"><pre><span></span><code>sudo pacman -S iodine
sudo iodine -f tunnel.xo.tc
</code></pre></div>
<p>Now if you run <code>ip addr</code> you should see a new network connection</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">michael@ezreal ~</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">addr</span><span class="w"></span>
<span class="err">#</span><span class="w"> </span><span class="p">...</span><span class="w"></span>
<span class="mi">4</span><span class="err">:</span><span class="w"> </span><span class="nl">dns0</span><span class="p">:</span><span class="w"> </span><span class="o"><</span><span class="n">POINTOPOINT</span><span class="p">,</span><span class="n">MULTICAST</span><span class="p">,</span><span class="n">NOARP</span><span class="p">,</span><span class="n">UP</span><span class="p">,</span><span class="n">LOWER_UP</span><span class="o">></span><span class="w"> </span><span class="n">mtu</span><span class="w"> </span><span class="mi">1130</span><span class="w"> </span><span class="n">qdisc</span><span class="w"> </span><span class="n">fq_codel</span><span class="w"> </span><span class="k">state</span><span class="w"> </span><span class="k">UNKNOWN</span><span class="w"> </span><span class="k">group</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="n">qlen</span><span class="w"> </span><span class="mi">500</span><span class="w"></span>
<span class="w"> </span><span class="n">link</span><span class="o">/</span><span class="k">none</span><span class="w"></span>
<span class="w"> </span><span class="n">inet</span><span class="w"> </span><span class="mf">10.73.72.2</span><span class="o">/</span><span class="mi">27</span><span class="w"> </span><span class="k">scope</span><span class="w"> </span><span class="k">global</span><span class="w"> </span><span class="n">dns0</span><span class="w"></span>
<span class="w"> </span><span class="n">valid_lft</span><span class="w"> </span><span class="n">forever</span><span class="w"> </span><span class="n">preferred_lft</span><span class="w"> </span><span class="n">forever</span><span class="w"></span>
<span class="o">[</span><span class="n">michael@ezreal ~</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">ping</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="mf">10.73.72.1</span><span class="w"></span>
<span class="n">PING</span><span class="w"> </span><span class="mf">10.73.72.1</span><span class="w"> </span><span class="p">(</span><span class="mf">10.73.72.1</span><span class="p">)</span><span class="w"> </span><span class="mi">56</span><span class="p">(</span><span class="mi">84</span><span class="p">)</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="k">data</span><span class="p">.</span><span class="w"></span>
<span class="mi">64</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="mf">10.73.72.1</span><span class="err">:</span><span class="w"> </span><span class="n">icmp_seq</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">ttl</span><span class="o">=</span><span class="mi">64</span><span class="w"> </span><span class="nc">time</span><span class="o">=</span><span class="mi">346</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="mi">64</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="mf">10.73.72.1</span><span class="err">:</span><span class="w"> </span><span class="n">icmp_seq</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span><span class="n">ttl</span><span class="o">=</span><span class="mi">64</span><span class="w"> </span><span class="nc">time</span><span class="o">=</span><span class="mi">334</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="mi">64</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="mf">10.73.72.1</span><span class="err">:</span><span class="w"> </span><span class="n">icmp_seq</span><span class="o">=</span><span class="mi">3</span><span class="w"> </span><span class="n">ttl</span><span class="o">=</span><span class="mi">64</span><span class="w"> </span><span class="nc">time</span><span class="o">=</span><span class="mi">346</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="mi">64</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="mf">10.73.72.1</span><span class="err">:</span><span class="w"> </span><span class="n">icmp_seq</span><span class="o">=</span><span class="mi">4</span><span class="w"> </span><span class="n">ttl</span><span class="o">=</span><span class="mi">64</span><span class="w"> </span><span class="nc">time</span><span class="o">=</span><span class="mi">338</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="o">---</span><span class="w"> </span><span class="mf">10.73.72.1</span><span class="w"> </span><span class="n">ping</span><span class="w"> </span><span class="k">statistics</span><span class="w"> </span><span class="o">---</span><span class="w"></span>
<span class="mi">4</span><span class="w"> </span><span class="n">packets</span><span class="w"> </span><span class="n">transmitted</span><span class="p">,</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="n">received</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="n">packet</span><span class="w"> </span><span class="n">loss</span><span class="p">,</span><span class="w"> </span><span class="nc">time</span><span class="w"> </span><span class="mi">3001</span><span class="n">ms</span><span class="w"></span>
<span class="n">rtt</span><span class="w"> </span><span class="nf">min</span><span class="o">/</span><span class="nf">avg</span><span class="o">/</span><span class="nf">max</span><span class="o">/</span><span class="n">mdev</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">334.381</span><span class="o">/</span><span class="mf">341.482</span><span class="o">/</span><span class="mf">346.673</span><span class="o">/</span><span class="mf">5.310</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
</code></pre></div>
<p>Congratulations, you now have a tunnel through DNS.</p>
<h2>Windows Client</h2>
<p>First we need to install the Install the TAP32 driver. To do this download the <a href="http://openvpn.net/index.php/open-source/downloads.html">OpenVPN</a> installer<sup id="fnref:openVPN"><a class="footnote-ref" href="#fn:openVPN">3</a></sup> and when you get to Choose Components step, you only need to pick TAP Virtual Ethernet Adapter.</p>
<p><img alt="Installing openVPN TAP adapter" src="https://xo.tc/images/installing-openVPN-TAP.png"></p>
<p>The rest is more or less the same as Linux, download the latest binary, extract them, open a command prompt as administrator and run iodine <code>c:\Users\Michael\Downloads\iodine-0.7.0-windows\64bit\iodine.exe -f tunnel.xo.tc</code></p>
<h2>Making it a service</h2>
<p>Of course if you're planning on using it from a hotel WiFi for example you might not be able to SSH in and start iodine so you will want your tunnel available all the time.</p>
<div class="highlight"><pre><span></span><code>sudo nano /etc/default/iodine
</code></pre></div>
<p>Setup your iodine config<sup id="fnref:password"><a class="footnote-ref" href="#fn:password">4</a></sup></p>
<div class="highlight"><pre><span></span><code># <span class="nv">Default</span> <span class="nv">settings</span> <span class="k">for</span> <span class="nv">iodine</span>. <span class="nv">This</span> <span class="nv">file</span> <span class="nv">is</span> <span class="nv">sourced</span> <span class="nv">from</span>
# <span class="o">/</span><span class="nv">etc</span><span class="o">/</span><span class="nv">init</span>.<span class="nv">d</span><span class="o">/</span><span class="nv">iodined</span>
<span class="nv">START_IODINED</span><span class="o">=</span><span class="s2">"</span><span class="s">true</span><span class="s2">"</span>
<span class="nv">IODINED_ARGS</span><span class="o">=</span><span class="s2">"</span><span class="s">10.73.72.1 -c tunnel.xo.tc</span><span class="s2">"</span>
<span class="nv">IODINED_PASSWORD</span><span class="o">=</span><span class="s2">"</span><span class="s">SjLYBVAI4HnaF6TN6oryN7r2</span><span class="s2">"</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>sudo systemctl enable iodined.service
sudo systemctl restart iodined.service
</code></pre></div>
<h2>Encryption and routing</h2>
<p>Now you have a DNS tunnel between you and your server, but it doesn't mean that all your traffic will magically flow through it, nor is your traffic private<sup id="fnref:private"><a class="footnote-ref" href="#fn:private">5</a></sup>. The recommended way is to either setup a VPN or SSH Tunnel<sup id="fnref:tunnel"><a class="footnote-ref" href="#fn:tunnel">6</a></sup>.</p>
<p>On Linux it's pretty simple <code>ssh -D 8080 admin@10.73.72.1 -i aws-key.pem</code></p>
<p>On Windows it's pretty much the same, except we will use Putty and under Connection > SSH > Tunnels and Dynamic port forwarding on port 8080.</p>
<p><img alt="Putty Tunnel Settings" src="https://xo.tc/images/putty-add-ssh-tunnel.png">)</p>
<p>Then in Firefox go to Options > Advanced > Network > Connection Settings > Manual proxy configuration and enter the SOCKS proxy details.</p>
<p><img alt="Firefox Proxy Settings" src="https://xo.tc/images/firefox-proxy-settings.png"></p>
<p>I found the network to be painfully slow, but it's a fun little experment.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:ec2">
<p>Also if you are using Amazon, make sure you open ports TCP 22, TCP 53 and UDP 53 in the security groups settings. <a class="footnote-backref" href="#fnref:ec2" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:reboot">
<p>A reboot is not strictly necessary, but when I ran the updates it installed a new kernel so I wanted to reboot for the kernel update. <a class="footnote-backref" href="#fnref:reboot" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:openVPN">
<p>The documentation says it needs to be the 32 bit version of OpenVPN but I used the 64 bit version and it worked fine. <a class="footnote-backref" href="#fnref:openVPN" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:password">
<p>To generate a password I recommend <code>sudo dd if=/dev/random bs=1 count=18 2>/dev/null | base64</code>. <a class="footnote-backref" href="#fnref:password" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
<li id="fn:private">
<p>Tunneling data through DNS might be stealthy but iodine does not provide encryption be default. <a class="footnote-backref" href="#fnref:private" title="Jump back to footnote 5 in the text">↩</a></p>
</li>
<li id="fn:tunnel">
<p>Yes a tunnel with in a tunnel. <a class="footnote-backref" href="#fnref:tunnel" title="Jump back to footnote 6 in the text">↩</a></p>
</li>
</ol>
</div>You should try to outrun the bear2016-11-10T07:00:00+08:002016-11-10T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-11-10:/you-should-try-to-outrun-the-bear.html<p>If you have worked in IT Security for a while you will probably have heard the old saying;</p>
<blockquote>
<p>"You don't have to outrun the bear you only have to outrun the other bloke"<sup id="fnref:saying"><a class="footnote-ref" href="#fn:saying">1</a></sup></p>
</blockquote>
<p>I've heard it several times and it annoys me because it's almost always used to defend …</p><p>If you have worked in IT Security for a while you will probably have heard the old saying;</p>
<blockquote>
<p>"You don't have to outrun the bear you only have to outrun the other bloke"<sup id="fnref:saying"><a class="footnote-ref" href="#fn:saying">1</a></sup></p>
</blockquote>
<p>I've heard it several times and it annoys me because it's almost always used to defend doing a half-baked job of something. Things like using WEP because the neighbour's WiFi is unsecured.</p>
<p>Now I would never say things need to be <a href="https://xo.tc/perfectly-good.html">perfect</a> you're better off with something that works and is good than waiting for the perfect solution to be built. But if you're going to do something you should at least try to do things properly.</p>
<p>You should at the very least <em>try</em> to outrun the bear.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:saying">
<p>Or some variation on the theme. The one I originally heard was "the tiger" which I think sounds better, but Google suggest that "the bear" is more popular. <a class="footnote-backref" href="#fnref:saying" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Seting up Matrix Synapse and Riot on Debian 8 Jessie2016-11-03T07:00:00+08:002016-11-03T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-11-03:/seting-up-matrix-synapse-and-riot-on-debian-8-jessie.html<p>My partner is going over seas and wanted to be able to make video calls to me back in Australia. Unfortunately because I use F-Droid and don't have the Google Play store on my phone<sup id="fnref:F-Droid"><a class="footnote-ref" href="#fn:F-Droid">1</a></sup> I don't have WhatsApp or Viber or Facebook Messanger or... But I recently came …</p><p>My partner is going over seas and wanted to be able to make video calls to me back in Australia. Unfortunately because I use F-Droid and don't have the Google Play store on my phone<sup id="fnref:F-Droid"><a class="footnote-ref" href="#fn:F-Droid">1</a></sup> I don't have WhatsApp or Viber or Facebook Messanger or... But I recently came across <a href="https://riot.im/">Riot.im</a> a messaging app with the concept rooms like IRC or Slack and that can do one to one video calls.</p>
<p>So I decided to setup my own Matrix / Synapse server at home on Debian 8 Jesse.</p>
<p>I went with the packages rather than installing from source because I like the idea of an easy <code>sudo apt-get update && sudo apt-get dist-upgrade</code> to keep everything up to date.</p>
<h2>Add the matrix-synapse signing key</h2>
<div class="highlight"><pre><span></span><code>wget https://matrix.org/packages/debian/repo-key.asc
sudo apt-key add repo-key.asc
rm repo-key.asc
</code></pre></div>
<h2>Edit your sources.list</h2>
<div class="highlight"><pre><span></span><code>sudo vim /etc/apt/sources.list.d/synapse.list
</code></pre></div>
<p>add</p>
<div class="highlight"><pre><span></span><code><span class="k">deb</span> <span class="s">http://matrix.org/packages/debian/</span> <span class="kp">jessie</span> <span class="kp">main</span>
<span class="k">deb-src</span> <span class="s">http://matrix.org/packages/debian/</span> <span class="kp">jessie</span> <span class="kp">main</span>
</code></pre></div>
<h2>Refresh your sources and install</h2>
<div class="highlight"><pre><span></span><code>sudo apt-get update
sudo apt-get install matrix-synapse
</code></pre></div>
<p>The install ask you for a host name, and if it can report anonymized statistics back home.</p>
<p><img alt="Synapse Host name" src="https://xo.tc/images/matrix-synapse-server-name.png"></p>
<p><img alt="Synapse Host name" src="https://xo.tc/images/matrix-synapse-anonymized-statistics.png"></p>
<h1>Configure</h1>
<p>That's pretty much it, most of the defaults are ok, I'd recomend reading through <code>homeserver.yaml</code> anyway.</p>
<div class="highlight"><pre><span></span><code>sudo vim /etc/matrix-synapse/homeserver.yaml
</code></pre></div>
<p>I enabled registration, then removed it once I'd signed up (line 294).</p>
<div class="highlight"><pre><span></span><code><span class="p">#</span> <span class="n">Enable</span> <span class="n">registration</span> <span class="k">for</span> <span class="n">new</span> <span class="n">users</span><span class="p">.</span>
<span class="nl">enable_registration:</span> <span class="n">True</span>
</code></pre></div>
<p>On this server I'm not using Let's Encrypt yet so I copied my SSL certificates over the top of <code>homeserver.tls.crt</code> and <code>homeserver.tls.key</code></p>
<p>And started the server.</p>
<div class="highlight"><pre><span></span><code>sudo systemctl enable matrix-synapse.service
sudo systemctl statrt matrix-synapse.service
</code></pre></div>
<h2>DNS Entry</h2>
<p>I setup a <a href="https://github.com/matrix-org/synapse#setting-up-federation">DNS entry</a> to tell federated servers what port to connect on. For me that was just entering a SRV record in DNS Made Easy.</p>
<p><img alt="Synapse Host name" src="https://xo.tc/images/matrix-synapse-dns-settings.png"></p>
<p>The exact steps steps will be a little different depending on your DNS provider.</p>
<h2>Apache2</h2>
<p>Lastly I setup Apache to proxy <code>/_matrix</code> from port 443 to port 8008, below is part of my Apache2 config from <code>/etc/apache2/sites-enabled/000-default.conf</code> but the important bit is after # Matrix Synapse</p>
<div class="highlight"><pre><span></span><code><span class="o"><</span><span class="n">VirtualHost</span> <span class="o">*</span><span class="p">:</span><span class="mi">443</span><span class="o">></span>
<span class="c1"># Host settings</span>
<span class="n">ServerName</span> <span class="n">hybr</span><span class="o">.</span><span class="n">id</span><span class="o">.</span><span class="n">au</span>
<span class="c1"># SSL Settings</span>
<span class="n">SSLEngine</span> <span class="n">on</span>
<span class="n">SSLOptions</span> <span class="o">+</span><span class="n">StrictRequire</span>
<span class="n">SSLHonorCipherOrder</span> <span class="n">on</span>
<span class="c1"># Remove all, Add back only TLS1.2</span>
<span class="n">SSLProtocol</span> <span class="o">-</span><span class="n">ALL</span> <span class="o">+</span><span class="n">TLSv1</span><span class="o">.</span><span class="mi">2</span>
<span class="c1"># A fine selection of the choicest ciphers</span>
<span class="n">SSLCipherSuite</span> <span class="o">-</span><span class="n">ALL</span><span class="p">:</span><span class="n">ECDHE</span><span class="o">-</span><span class="n">RSA</span><span class="o">-</span><span class="n">AES256</span><span class="o">-</span><span class="n">GCM</span><span class="o">-</span><span class="n">SHA384</span><span class="p">:</span><span class="n">ECDHE</span><span class="o">-</span><span class="n">RSA</span><span class="o">-</span><span class="n">AES128</span><span class="o">-</span><span class="n">GCM</span><span class="o">-</span><span class="n">SHA256</span>
<span class="n">SSLCertificateFile</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">custom</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span>
<span class="n">SSLCertificateChainFile</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">custom</span><span class="o">/</span><span class="mi">1</span><span class="n">_intermediate</span><span class="o">.</span><span class="n">crt</span>
<span class="n">SSLCertificateKeyFile</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">exmple</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">key</span>
<span class="n">Header</span> <span class="n">always</span> <span class="n">add</span> <span class="n">Strict</span><span class="o">-</span><span class="n">Transport</span><span class="o">-</span><span class="n">Security</span> <span class="s2">"max-age=31536000"</span>
<span class="n">Header</span> <span class="n">always</span> <span class="n">set</span> <span class="n">Public</span><span class="o">-</span><span class="n">Key</span><span class="o">-</span><span class="n">Pins</span> <span class="s2">"pin-sha256=</span><span class="se">\"</span><span class="s2">f5uthPZ21VOlA6Bye2yvoe+6a/h9fKRK27SdFt43XHQ=</span><span class="se">\"</span><span class="s2">; pin-sha256=</span><span class="se">\"</span><span class="s2">ATwpV5xzLfkVs631iympx7q+JlvRePMgTcvFG7x3Eeo=</span><span class="se">\"</span><span class="s2">; max-age=5184000; includeSubDomains"</span>
<span class="n">ServerAdmin</span> <span class="n">webmaster</span><span class="err">@</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
<span class="n">DocumentRoot</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">html</span>
<span class="c1"># Available loglevels: trace8, ..., trace1, debug, info, notice, warn,</span>
<span class="c1"># error, crit, alert, emerg.</span>
<span class="c1"># It is also possible to configure the loglevel for particular</span>
<span class="c1"># modules, e.g.</span>
<span class="c1">#LogLevel info ssl:warn</span>
<span class="n">ErrorLog</span> <span class="o">$</span><span class="p">{</span><span class="n">APACHE_LOG_DIR</span><span class="p">}</span><span class="o">/</span><span class="n">error</span><span class="o">.</span><span class="n">log</span>
<span class="n">CustomLog</span> <span class="o">$</span><span class="p">{</span><span class="n">APACHE_LOG_DIR</span><span class="p">}</span><span class="o">/</span><span class="n">access</span><span class="o">.</span><span class="n">log</span> <span class="n">combined</span>
<span class="c1">################################################################################ </span>
<span class="c1"># Matrix Synapse </span>
<span class="c1">################################################################################ </span>
<span class="n">ProxyPass</span> <span class="o">/</span><span class="n">_matrix</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">8008</span><span class="o">/</span><span class="n">_matrix</span>
<span class="n">ProxyPassReverse</span> <span class="o">/</span><span class="n">_matrix</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">8008</span><span class="o">/</span><span class="n">_matrix</span>
<span class="o"></</span><span class="n">VirtualHost</span><span class="o">></span>
</code></pre></div>
<p>Then you can go to https://riot.im/app/#/register pick the custom server radio button and away you go.</p>
<p><img alt="Synapse Host name" src="https://xo.tc/images/riot-sign-up-page.png"></p>
<div class="footnote">
<hr>
<ol>
<li id="fn:F-Droid">
<p>I've said it before, as this is a security blog I should point out that I use F-Droid and CyanogenMod for Open Source philosophical reasons and <strong>not</strong> for security reasons. If you want a secure Android phone get a modern Nexus phone or the Google Pixel and stick on the stock ROM with all the Google updates. <a class="footnote-backref" href="#fnref:F-Droid" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Backing up a remote server with rsync2016-10-27T07:00:00+08:002016-10-27T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-10-27:/backing-up-a-remote-server-with-rsync.html<p>I've got a couple of VPS boxes over at <a href="https://www.ransomit.com.au/">RansomIT</a> including the server that run this site<sup id="fnref:RansomIT"><a class="footnote-ref" href="#fn:RansomIT">1</a></sup>. One of those boxes is a cheap little VPS with 512MB of RAM that costs me $5 a month. I need to back up this box, my usual go to for personal …</p><p>I've got a couple of VPS boxes over at <a href="https://www.ransomit.com.au/">RansomIT</a> including the server that run this site<sup id="fnref:RansomIT"><a class="footnote-ref" href="#fn:RansomIT">1</a></sup>. One of those boxes is a cheap little VPS with 512MB of RAM that costs me $5 a month. I need to back up this box, my usual go to for personal servers is <a href="https://www.crashplan.com/en-us/">Crashplan</a> but Crashplan <a href="https://support.code42.com/CrashPlan/4/Getting_Started/Code42_CrashPlan_System_Requirements">needs</a> 1GB of RAM.</p>
<p>So I thought, why not sync<sup id="fnref:sync"><a class="footnote-ref" href="#fn:sync">2</a></sup> the contents of the small server over to more powerful server (with 8GB of RAM) that can run Crashplan.</p>
<h2>Create a backup user on the source server</h2>
<p>I'm going to create a 'backups' account on the source server, add an SSH key and add the backups account into the sudoers group<sup id="fnref:Account"><a class="footnote-ref" href="#fn:Account">3</a></sup>.</p>
<div class="highlight"><pre><span></span><code>sudo useradd --system --shell /bin/bash --home-dir /home/backups --create-home backups
sudo su backups
<span class="nb">cd</span>
ssh-keygen
<span class="c1"># Accept the defaults</span>
mv id_rsa.pub authorized_keys
less ~/.ssh/id_rsa
<span class="c1"># Copy the private key and press Q to quit</span>
<span class="nb">exit</span>
sudo visudo
</code></pre></div>
<p>Add to the sudoers file</p>
<div class="highlight"><pre><span></span><code># Allow backups to run rsync as root without a password
backups ALL=NOPASSWD:/usr/bin/rsync
</code></pre></div>
<h2>Create our backups script on the destinaton server</h2>
<p>Copy the ssh private key (id_rsa) to the destination server.</p>
<div class="highlight"><pre><span></span><code>mkdir backups
<span class="nb">cd</span> backups
vim backups.id_rsa
sudo chown root:root backups.id_rsa
sudo chmod <span class="m">400</span> backups.id_rsa
<span class="c1"># SSH into the source server, this is both so we get the servers host key</span>
<span class="c1"># added and also a a bit of a 'hello world' sanity check.</span>
sudo ssh -i backups.id_rsa backups@source.example.com
<span class="nb">exit</span>
vim nightly-backups.sh
</code></pre></div>
<p>I've based my backups script on the one in the <a href="https://wiki.archlinux.org/index.php/full_system_backup_with_rsync">Arch Wiki</a></p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># -a Archive mode (keep file permissions etc...)</span>
<span class="c1"># -A preserve ACLs</span>
<span class="c1"># -X keep extended attributeds</span>
<span class="c1"># Backup www.example.com</span>
rsync -aAX <span class="se">\</span>
-e <span class="s2">"ssh -i /home/michael/backups/backups.id_rsa"</span> <span class="se">\</span>
--rsync-path<span class="o">=</span><span class="s2">"sudo rsync"</span> <span class="se">\</span>
--exclude<span class="o">={</span><span class="s2">"/dev/*"</span>,<span class="s2">"/proc/*"</span>,<span class="s2">"/sys/*"</span>,<span class="s2">"/tmp/*"</span>,<span class="s2">"/run/*"</span>,<span class="s2">"/mnt/*"</span>,<span class="s2">"/media/*"</span>,<span class="s2">"/lost+found"</span><span class="o">}</span> <span class="se">\</span>
--delete <span class="se">\</span>
backups@www.example.com:/ <span class="se">\</span>
/home/michael/backups/www.example.com/
</code></pre></div>
<p>And link the script to crontab</p>
<div class="highlight"><pre><span></span><code><span class="c1"># The script needs to be owned by root or it won't execute.</span>
sudo chown root:root nightly-backups.sh
sudo chmod <span class="m">774</span> nightly-backups.sh
sudo vim /etc/crontab
</code></pre></div>
<div class="highlight"><pre><span></span><code># rsync servers back here 01:15 every day.
15 1 * * * root /home/michael/backups/nightly-backups.sh
</code></pre></div>
<p>The reason I've got the backup job also running as root on the destination server is we are keeping the file permissions and some files will be owned by root (from the source server) so we need to be root on the destination server to overwrite them when they change.</p>
<p>It's not the best backup solution but it's simple and effective.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:RansomIT">
<p>I'm an extremely satisfied customer and I'd be happy to recommend them. If you are looking for reasonably priced and reliable servers in Oceania with excellent customer service <a href="https://www.ransomit.com.au/">RansomIT</a> are great. <a class="footnote-backref" href="#fnref:RansomIT" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:sync">
<p>I wouldn't recommend <em>just</em> syncing a server as a backup solution, if you get hit by cryptolocker and you sync your files then your backups are encrypted too. But in this case the synced copy is getting backed up by Crashplan which handles all of the file revisions and retention time frames. <a class="footnote-backref" href="#fnref:sync" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:Account">
<p>On the Unix and Linux stackexchange <a href="http://unix.stackexchange.com/a/92397/112358">Martin von Wittich</a> makes a good point that this could be run as root. He is correct, my choice to use a seperate account is not that it directly increases security but I feel it's neater and it doesn't lead to sprawl.</p>
<p>For example say another job also needs to ssh in as root, if there is already an SSH key it would so easy to use the same key pair rather than generate a new one and append it to the authorized_keys. But then if you want to disable the backups you need to work out what other services are using that key pair.</p>
<p>I've seen Windows environments where twenty or thirty different services were running as the domain administrator account, many of these service did need administrative access, things like backups, inventory systems and anti-virus. But it meant that the domain admin password couldn't be changed (for example when staff left) without breaking things. It took a lot of work to find all of the things that were using the account and migrate them to their own accounts so we could change (and disable) the domain admin account. <a class="footnote-backref" href="#fnref:Account" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Adding subject alternative name to certificate request2016-10-20T07:00:00+08:002016-10-20T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-10-20:/adding-subject-alternative-name-to-certificate-request.html<p>This is another <a href="https://xo.tc/tag/note-to-self.html">note to self</a>, I must have done this 20 or 30 times over the years but I can never remember exactly how.</p>
<p>The easiest way I've found to add subject alternate names to certificate requests is to add two lines at the end of <code>/etc/ssl/openssl …</code></p><p>This is another <a href="https://xo.tc/tag/note-to-self.html">note to self</a>, I must have done this 20 or 30 times over the years but I can never remember exactly how.</p>
<p>The easiest way I've found to add subject alternate names to certificate requests is to add two lines at the end of <code>/etc/ssl/openssl.cnf</code></p>
<div class="highlight"><pre><span></span><code><span class="k">[SAN]</span>
<span class="na">subjectAltName</span><span class="o">=</span><span class="s">DNS:example.com,DNS:www.example.com,DNS:mail.example.com</span>
</code></pre></div>
<p>Then when creating a CSR simply include <code>-reqexts SAN</code></p>
<p><code>openssl req -out CSR.csr -new -newkey rsa:4096 -nodes -keyout privateKey.key -reqexts SAN</code></p>
<p>or</p>
<p><code>openssl req -out CSR.csr -key my-existing-key.example.com.key -new -sha256 -reqexts SAN</code></p>
<p>It's that simple.</p>Recovering data from a hard drive after wiping the partition table2016-10-13T07:00:00+08:002016-10-13T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-10-13:/recovering-data-from-a-hard-drive-after-wiping-the-partition-table.html<p>A mate from work had a LUKS volume that he had setup and was using to store his personal documents, things like scanned copies of invoices and tax information. Unfortunately in a momentary lapse of concentration after mounting it he ran <code>mkfs.ext4</code> over it.</p>
<p>I'm sure we have all …</p><p>A mate from work had a LUKS volume that he had setup and was using to store his personal documents, things like scanned copies of invoices and tax information. Unfortunately in a momentary lapse of concentration after mounting it he ran <code>mkfs.ext4</code> over it.</p>
<p>I'm sure we have all been there before, anyone who has spent enough time in tech knows the gut wrenching feeling after entering the wrong command. I can still remember the tense feeling after I ran query but forgot the where clause and saw <code>(2986 row(s) affected)</code> when I was expecting <code>(1 row(s) affected)</code>.</p>
<p>The good news was that my mate had a backup, the bad news was the backup was six months out of date. He was able to make a copy of the LUKS volume and run <a href="http://www.cgsecurity.org/wiki/PhotoRec">PhotoRec</a> over it which pulled back all the files.</p>
<p>PhotoRec is a brilliant tool but it can't recover metadata so things like file names, creation and last modified dates and directory structures were all missing. So he was left with thousands of recovered files, some of which he already had and others that were new.</p>
<p>I wrote a simple python script to run through two directories and check for files in the new directory (the recovered files) that were not in the old directory (backup of original files).</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/python3</span>
<span class="c1"># -*- coding: UTF-8 -*-</span>
<span class="sd">"""</span>
<span class="sd">A small python script to find new files in two similar directories.</span>
<span class="sd">"""</span>
<span class="kn">import</span> <span class="nn">os</span>
<span class="kn">import</span> <span class="nn">os.path</span>
<span class="kn">import</span> <span class="nn">hashlib</span>
<span class="kn">import</span> <span class="nn">argparse</span>
<span class="k">def</span> <span class="nf">setup_options</span><span class="p">():</span>
<span class="sd">"""</span>
<span class="sd"> Parse options and get the location of the old and the new directory.</span>
<span class="sd"> """</span>
<span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">ArgumentParser</span><span class="p">(</span>
<span class="n">description</span><span class="o">=</span><span class="p">(</span><span class="s1">'Run through two directories (including sub directories) '</span>
<span class="s1">'and find files that are the new directory but not in '</span>
<span class="s1">'the old directory.'</span><span class="p">))</span>
<span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
<span class="s1">'old_files'</span><span class="p">,</span>
<span class="n">metavar</span><span class="o">=</span><span class="s1">'old_directory'</span><span class="p">,</span>
<span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span>
<span class="n">help</span><span class="o">=</span><span class="s1">'The old directory with the original files'</span><span class="p">)</span>
<span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
<span class="s1">'new_files'</span><span class="p">,</span>
<span class="n">metavar</span><span class="o">=</span><span class="s1">'new_directory'</span><span class="p">,</span>
<span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span>
<span class="n">help</span><span class="o">=</span><span class="s1">'The new directory with both original files and new ones.'</span><span class="p">)</span>
<span class="k">return</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span>
<span class="k">def</span> <span class="nf">compare_two_directories</span><span class="p">(</span><span class="n">settings</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Run through two directories (including sub directories) and find files that</span>
<span class="sd"> are in the new directory but not in the old directory.</span>
<span class="sd"> """</span>
<span class="n">original_files</span> <span class="o">=</span> <span class="nb">set</span><span class="p">()</span>
<span class="c1"># Run through the original directory and creates an MD5 sum each of the</span>
<span class="c1"># files. MD5 is insecure because of known hash collisions, however we are</span>
<span class="c1"># not trying to validate the file's contents so it's good enough, faster</span>
<span class="c1"># and more memory efficient than SHA256.</span>
<span class="k">for</span> <span class="n">dirpath</span><span class="p">,</span> <span class="n">dirnames</span><span class="p">,</span> <span class="n">filenames</span> <span class="ow">in</span> <span class="n">os</span><span class="o">.</span><span class="n">walk</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">old_files</span><span class="p">):</span>
<span class="k">for</span> <span class="n">filename</span> <span class="ow">in</span> <span class="n">filenames</span><span class="p">:</span>
<span class="n">file_path</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">dirpath</span><span class="p">,</span> <span class="n">filename</span><span class="p">)</span>
<span class="n">file_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="n">file_path</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span>
<span class="n">original_files</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">file_hash</span><span class="p">)</span>
<span class="c1"># Run through the new directory and print files who's md5 hash is not in</span>
<span class="c1"># the original list of files.</span>
<span class="k">for</span> <span class="n">dirpath</span><span class="p">,</span> <span class="n">dirnames</span><span class="p">,</span> <span class="n">filenames</span> <span class="ow">in</span> <span class="n">os</span><span class="o">.</span><span class="n">walk</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">new_files</span><span class="p">):</span>
<span class="k">for</span> <span class="n">filename</span> <span class="ow">in</span> <span class="n">filenames</span><span class="p">:</span>
<span class="n">file_path</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">dirpath</span><span class="p">,</span> <span class="n">filename</span><span class="p">)</span>
<span class="n">file_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="n">file_path</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span>
<span class="k">if</span> <span class="n">file_hash</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">original_files</span><span class="p">:</span>
<span class="nb">print</span><span class="p">(</span><span class="n">file_path</span><span class="p">)</span>
<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">"__main__"</span><span class="p">:</span>
<span class="n">compare_two_directories</span><span class="p">(</span><span class="n">setup_options</span><span class="p">())</span>
</code></pre></div>
<p>I've put this script up on <a href="https://github.com/HybridAU/compare">GitHub</a> so anyone can use it, with a simple</p>
<div class="highlight"><pre><span></span><code>michael@xo:~$ ./compare.py /home/michael/backup /home/michael/recovered-files
</code></pre></div>
<p>It runs through all the files in the old directory (and it's subdirectories) and calculates an MD5 sum. While MD5 is broken for validating the contents files because of known <a href="http://www.mscs.dal.ca/~selinger/md5collision/">hash collisions</a>, and should <em>never</em> be used for storing passwords, we are just trying to compare two documents neither of which is coming from an untrusted source so it's good enough and quicker when running over a few thousands documents than SHA256<sup id="fnref:quicker"><a class="footnote-ref" href="#fn:quicker">1</a></sup>.</p>
<p>Then it stores the MD5 hash in a <a href="https://docs.python.org/3.5/library/stdtypes.html#set-types-set-frozenset">set</a>. I've used a set rather than say a list, because I don't want duplicates and I want to be able to check if a value is in the set quickly.</p>
<p>Next it runs through the new directory (and it's subdirectories) and for every file that has an MD5 sum that's not in the set, it outputs the name.</p>
<p>This script brought the number of recovered files down from thousands to a manageable amount, so hopefully it's useful for someone else in a similar situation.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:quicker">
<p>I believe that thanks to optimizations in the design of SHA256 it can potentially be quicker than MD5. I've heard that with OpenSSL SHA256 is quicker than MD5. But with my tests using python's hashlib MD5 was faster than SHA256. <a class="footnote-backref" href="#fnref:quicker" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Setting up mailpile on Debian 8 Jessie for remote access2016-10-06T07:00:00+08:002016-10-06T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-10-06:/setting-up-mailpile-on-debian-8-jessie-for-remote-access.html<p>I've never yet found a mail client that I <em>really love</em>. Outlook is ok in corporate environments. Gmail is probably the best I've used but I'm <a href="https://xo.tc/good-bye-google.html">trying</a> to move away from Google and free 3rd party hosted solutions. <a href="https://roundcube.net/">Roundcube</a> is pretty good, I'm not a fan of PHP but most …</p><p>I've never yet found a mail client that I <em>really love</em>. Outlook is ok in corporate environments. Gmail is probably the best I've used but I'm <a href="https://xo.tc/good-bye-google.html">trying</a> to move away from Google and free 3rd party hosted solutions. <a href="https://roundcube.net/">Roundcube</a> is pretty good, I'm not a fan of PHP but most of the internet seems to run on it. I've run <a href="http://www.rainloop.net/">Rainloop</a> for a while I like it. I actually think <a href="https://www.kde.org/applications/internet/kmail/">KMail</a> and <a href="https://userbase.kde.org/Kontact">Kontact</a> as a whole are very nice. I kind of wish they handled HTML email a bit more elegantly but with some tweaking they work well. The problem is they are desktop solutions and I'd like something I can access remotely. I use <a href="http://www.mutt.org/">Mutt</a> over ssh a bit and that works well enough.</p>
<p>So I though I'd give <a href="https://www.mailpile.is/">mailpile</a> a go, I know it's not designed to run as a web service but it can.</p>
<p>The <a href="https://github.com/mailpile/Mailpile/wiki/Getting-started-on-linux">install guide</a> is very well documented. I pretty much followed it verbatim although I tweaked a few things because I wanted it to run as a service.</p>
<p>I SSHed into my home box and forwareded port 33411</p>
<div class="highlight"><pre><span></span><code>ssh example.com -L 33411:localhost:33411
</code></pre></div>
<h2>Install the prerequisites</h2>
<div class="highlight"><pre><span></span><code>sudo apt-get install git gnupg openssl python-virtualenv python-pip python-lxml python-dev libjpeg-dev
</code></pre></div>
<h2>Clone the Git Repo</h2>
<div class="highlight"><pre><span></span><code> sudo git clone --recursive https://github.com/mailpile/Mailpile.git /opt/mailpile
</code></pre></div>
<h2>Create a mailpile user</h2>
<p>For now we are going to give the user <code>/bin/bash</code> as a shell, but later we will change it to <code>/usr/sbin/nologin</code></p>
<div class="highlight"><pre><span></span><code>sudo useradd --system --shell /bin/bash --home-dir /opt/mailpile mailpile
</code></pre></div>
<h2>Setup the virtual environment</h2>
<p>Unfortunately it looks like mailpile only runs with Python 2.7 not Python 3+</p>
<div class="highlight"><pre><span></span><code># Set ownership of mailpile
sudo chown -R mailpile:mailpile /opt/mailpile/
# Change to the mailpile user
sudo su mailpile
# move into the newly created source repo
cd /opt/mailpile
# create a virtual environment directory
virtualenv -p /usr/bin/python2.7 --system-site-packages mp-virtualenv
# activate the virtual Python environment
source mp-virtualenv/bin/activate
</code></pre></div>
<h2>Install the dependencies</h2>
<div class="highlight"><pre><span></span><code>pip install -r requirements.txt
</code></pre></div>
<h2>Run mailpile</h2>
<p>As a test we are going to start mailpile manually, once we are sure it's working we will make it a service.</p>
<div class="highlight"><pre><span></span><code>./mp
</code></pre></div>
<p>If all has gone well you should now see a <code>mailpile></code> prompt and if have forwareded the ports you should be able to browse to <a href="http://localhost:33411">http://localhost:33411</a></p>
<h2>Setup mail</h2>
<p>The setup was very simple,</p>
<p>You are first greeted with a welcome screen where you select your language</p>
<p><img alt="Mailpile first welcome screen" src="https://xo.tc/images/mailpile_01_welcome_to_mailpile.png"></p>
<p>Next you choose a password</p>
<p><img alt="Mailpile Choose a password" src="https://xo.tc/images/mailpile_02_Choose_a_password.png"></p>
<p>Click through to finish the setup</p>
<p><img alt="Mailpile Finish setup" src="https://xo.tc/images/mailpile_03_Mailpile_Secured.png"></p>
<p>And you end up a login screen</p>
<p><img alt="Mailpile Login screen" src="https://xo.tc/images/mailpile_04_Login_screen.png"></p>
<p>Once you login you are presented with a welcome screen.</p>
<p><img alt="Mailpile First welcome screen" src="https://xo.tc/images/mailpile_05_Welcom_screen.png"></p>
<p>Before you can add an account you need to run through the privacy settings, I went with the defaults which were pertty good.</p>
<p><img alt="Mailpile Privacy settings" src="https://xo.tc/images/mailpile_06_Privacy_settings.png"></p>
<p>Then you go back to the welcome screen but this time you can add an account.</p>
<p><img alt="Mailpile Retrun to welcome screen" src="https://xo.tc/images/mailpile_07_Returned_welcom_screen.png"></p>
<p>I added an account</p>
<p><img alt="Mailpile Adding an account" src="https://xo.tc/images/mailpile_08_Add_account.png"></p>
<p>I went with the 'Detect settings' option to see how well that worked, it took a couple of minutes but got everything right. Later I also tried adding settings manually and that was pretty easy too.</p>
<p><img alt="Mailpile Auto detect settings" src="https://xo.tc/images/mailpile_09_auto_detect.png"></p>
<p>Lastly you setup your encryption options and your done.</p>
<p><img alt="Mailpile Auto detect settings" src="https://xo.tc/images/mailpile_10_finished_setup.png"></p>
<p>Now you can check your mail.</p>
<p><img alt="Mailpile Home screen" src="https://xo.tc/images/mailpile_11_Showing_mail.png"></p>
<p>When I was setting up Mailpile I ran into <a href="https://github.com/mailpile/Mailpile/issues/1578">issue 1578</a> and so no mail was showing up. Fortunatly there is a <a href="https://github.com/cbrouwer/Mailpile/commit/b1708c98df6ed60a2a0c513a9ab1683e4530156a">simple fix</a> for that which will hopefully be merged soon.</p>
<p>I'm planning on running Mailpile under a subdirectory (e.g. example.com/mailpile) so in the mailpile terminal I ran <code>set sys.http_path = /mailpile</code> but that's not necessary if your planning on running it in the root of your domain.</p>
<div class="highlight"><pre><span></span><code>mailpile> login
Your password:
mailpile> set sys.http_path = /mailpile
Elapsed: 0.001s (set: Updated your settings)
{
"sys.http_path": "/mailpile"
}
mailpile>
</code></pre></div>
<h2>Make it a service</h2>
<p>Press Ctrl + D to exit the mailpile cli, then type <code>deactivate</code> python virtual environment and <code>exit</code> to change back to your normal account.</p>
<p><code>sudo vim /etc/systemd/system/mailpile.service</code></p>
<div class="highlight"><pre><span></span><code><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">Mailplie Server</span>
<span class="na">After</span><span class="o">=</span><span class="s">syslog.target</span>
<span class="na">After</span><span class="o">=</span><span class="s">network.target</span>
<span class="k">[Service]</span>
<span class="na">Type</span><span class="o">=</span><span class="s">simple</span>
<span class="na">User</span><span class="o">=</span><span class="s">mailpile</span>
<span class="na">Group</span><span class="o">=</span><span class="s">mailpile</span>
<span class="na">WorkingDirectory</span><span class="o">=</span><span class="s">/opt/mailpile</span>
<span class="na">ExecStart</span><span class="o">=</span><span class="s">/opt/mailpile/mp-virtualenv/bin/python mp --www= --wait</span>
<span class="c1"># Give a reasonable amount of time for the server to start up/shut down</span>
<span class="na">TimeoutSec</span><span class="o">=</span><span class="s">300</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">multi-user.target</span>
</code></pre></div>
<p>Enable and start the service</p>
<div class="highlight"><pre><span></span><code>sudo systemctl enable mailpile.service
sudo systemctl start mailpile.service
</code></pre></div>
<p>Now that it's a service we can lock the user account down a bit more by giving it no shell.</p>
<div class="highlight"><pre><span></span><code>sudo usermod -s /usr/sbin/nologin mailpile
</code></pre></div>
<h2>Make it a website</h2>
<p>As Mailpile is still in beta and they <a href="https://github.com/mailpile/Mailpile/wiki/Accessing-The-GUI-Over-Internet">recommend</a> you don't leave it open.</p>
<blockquote>
<p>At the moment, we do not recommend exposing Mailpile directly to the wider Internet.</p>
</blockquote>
<p>So I'm going to be setting mine up so you need a client certificate to access it. This isn't necessary but it's an extra layer of security and I'd recommend it. I've got a tutorial on <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">setting up a personal certification authority</a> and <a href="https://xo.tc/securing-apache-with-client-certificates.html">securing apache with client certificates</a> if you want more information on how that works.</p>
<p><code>sudo vim /etc/apache2/sites-enabled/000-default.conf</code></p>
<p>Below is most of my apache2 config, but the important bits are under <code># SSL Client</code> Certificates and <code># Mailpile</code></p>
<div class="highlight"><pre><span></span><code><span class="o"><</span><span class="n">VirtualHost</span> <span class="o">*</span><span class="p">:</span><span class="mi">443</span><span class="o">></span>
<span class="c1"># Host settings</span>
<span class="n">ServerName</span> <span class="n">example</span><span class="o">.</span><span class="n">com</span>
<span class="c1"># SSL Settings</span>
<span class="n">SSLEngine</span> <span class="n">on</span>
<span class="n">SSLOptions</span> <span class="o">+</span><span class="n">StrictRequire</span>
<span class="n">SSLHonorCipherOrder</span> <span class="n">on</span>
<span class="c1"># Remove all, Add back only TLS1.2</span>
<span class="n">SSLProtocol</span> <span class="o">-</span><span class="n">ALL</span> <span class="o">+</span><span class="n">TLSv1</span><span class="o">.</span><span class="mi">2</span>
<span class="c1"># A fine selection of the choicest ciphers</span>
<span class="n">SSLCipherSuite</span> <span class="o">-</span><span class="n">ALL</span><span class="p">:</span><span class="n">ECDHE</span><span class="o">-</span><span class="n">RSA</span><span class="o">-</span><span class="n">AES256</span><span class="o">-</span><span class="n">GCM</span><span class="o">-</span><span class="n">SHA384</span><span class="p">:</span><span class="n">ECDHE</span><span class="o">-</span><span class="n">RSA</span><span class="o">-</span><span class="n">AES128</span><span class="o">-</span><span class="n">GCM</span><span class="o">-</span><span class="n">SHA256</span>
<span class="n">SSLCertificateFile</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">custom</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span>
<span class="n">SSLCertificateChainFile</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">custom</span><span class="o">/</span><span class="mi">1</span><span class="n">_intermediate</span><span class="o">.</span><span class="n">crt</span>
<span class="n">SSLCertificateKeyFile</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">exmple</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">key</span>
<span class="n">Header</span> <span class="n">always</span> <span class="n">add</span> <span class="n">Strict</span><span class="o">-</span><span class="n">Transport</span><span class="o">-</span><span class="n">Security</span> <span class="s2">"max-age=31536000"</span>
<span class="c1"># HPKP: HTTP Public Key Pinning</span>
<span class="c1"># https://scotthelme.co.uk/hpkp-http-public-key-pinning/</span>
<span class="c1"># https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning</span>
<span class="n">Header</span> <span class="n">always</span> <span class="n">set</span> <span class="n">Public</span><span class="o">-</span><span class="n">Key</span><span class="o">-</span><span class="n">Pins</span> <span class="s2">"pin-sha256=</span><span class="se">\"</span><span class="s2">f5uthPZ21VOlA6Bye2yvoe+6a/h9fKRK27SdFt43XHQ=</span><span class="se">\"</span><span class="s2">; pin-sha256=</span><span class="se">\"</span><span class="s2">ATwpV5xzLfkVs631iympx7q+JlvRePMgTcvFG7x3Eeo=</span><span class="se">\"</span><span class="s2">; max-age=5184000; includeSubDomains"</span>
<span class="n">ServerAdmin</span> <span class="n">webmaster</span><span class="err">@</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
<span class="n">DocumentRoot</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">html</span>
<span class="c1"># Available loglevels: trace8, ..., trace1, debug, info, notice, warn,</span>
<span class="c1"># error, crit, alert, emerg.</span>
<span class="c1"># It is also possible to configure the loglevel for particular</span>
<span class="c1"># modules, e.g.</span>
<span class="c1">#LogLevel info ssl:warn</span>
<span class="n">ErrorLog</span> <span class="o">$</span><span class="p">{</span><span class="n">APACHE_LOG_DIR</span><span class="p">}</span><span class="o">/</span><span class="n">error</span><span class="o">.</span><span class="n">log</span>
<span class="n">CustomLog</span> <span class="o">$</span><span class="p">{</span><span class="n">APACHE_LOG_DIR</span><span class="p">}</span><span class="o">/</span><span class="n">access</span><span class="o">.</span><span class="n">log</span> <span class="n">combined</span>
<span class="c1">################################################################################ </span>
<span class="c1"># SSL Client Certificates</span>
<span class="c1">################################################################################ </span>
<span class="c1"># This allows any client certificates issued by Example CA</span>
<span class="n">SSLCACertificateFile</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">custom</span><span class="o">/</span><span class="n">ExampleCertificationAuthority</span><span class="o">.</span><span class="n">pem</span>
<span class="c1">################################################################################ </span>
<span class="c1"># Mailpile</span>
<span class="c1">################################################################################ </span>
<span class="n">ProxyPass</span> <span class="o">/</span><span class="n">mailpile</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">33411</span><span class="o">/</span><span class="n">mailpile</span>
<span class="n">ProxyPassReverse</span> <span class="o">/</span><span class="n">mailpile</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">33411</span><span class="o">/</span><span class="n">mailpile</span>
<span class="o"><</span><span class="n">Location</span> <span class="o">/</span><span class="n">mailpile</span><span class="o">></span>
<span class="n">SSLVerifyClient</span> <span class="n">require</span>
<span class="n">SSLVerifyDepth</span> <span class="mi">3</span>
<span class="c1"># Restricts the list of client certificates we accept, from all</span>
<span class="c1"># client certificates issued by Example CA to just authorised ones.</span>
<span class="n">SSLRequire</span> <span class="o">%</span><span class="p">{</span><span class="n">SSL_CLIENT_S_DN_Email</span><span class="p">}</span> <span class="n">eq</span> <span class="s2">"michael@example.com"</span> \
<span class="ow">or</span> <span class="o">%</span><span class="p">{</span><span class="n">SSL_CLIENT_S_DN_Email</span><span class="p">}</span> <span class="n">eq</span> <span class="s2">"michael@xo.tc"</span>
<span class="o"></</span><span class="n">Location</span><span class="o">></span>
<span class="o"></</span><span class="n">VirtualHost</span><span class="o">></span>
</code></pre></div>
<p>Restart Apache and your done.</p>
<p><code>sudo systemctl restart apache2.service</code></p>My ownCloud update script2016-09-29T07:00:00+08:002016-09-29T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-09-29:/my-owncloud-update-script.html<p><strong>Update 2017-03-02:</strong> If your using Nextcloud they now have their own <a href="https://xo.tc/using-the-newish-nextcloud-updater.html">in browser updater</a> this script still works though. </p>
<p>One of the most important things in security is patching. For the last several years two out of the ASD's <a href="http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm">top four mitigations</a> have been patching (patching applications and patching the …</p><p><strong>Update 2017-03-02:</strong> If your using Nextcloud they now have their own <a href="https://xo.tc/using-the-newish-nextcloud-updater.html">in browser updater</a> this script still works though. </p>
<p>One of the most important things in security is patching. For the last several years two out of the ASD's <a href="http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm">top four mitigations</a> have been patching (patching applications and patching the Operating System).</p>
<p>To me I think how your going to get new version of your application out to your end users should be a decision made very early in the design phase. About the time your thinking whats the most appropriate programing language to tackle a problem you should also be thinking how will I deploy this code once it's written and how will we update deployments.</p>
<p>Sometimes this decision will be made for you by the platform you are targeting such as Android or IOS. Sometimes it's not your problem when you expect downstream distributions to deal with packaging and updates<sup id="fnref:downstream"><a class="footnote-ref" href="#fn:downstream">1</a></sup>. And sometimes you need to build your own update mechanism. I quite like the way <a href="http://www.librenms.org/">LibreNMS</a> updates, which basically boils down to a cron job doing a <code>git pull</code> every day.</p>
<p>I've used <a href="https://owncloud.org/">ownCloud</a> for a while but one thing that's always annoyed me is they don't have an easy way to upgrades. I'd like to just tick a box that says 'Keep me on the latest stable version' or at the very least 'download security fixes automatically'.</p>
<p>For now I've made do with this script and just manually downloading the latest version of ownCloud each time there is a patch.</p>
<p>I've created a directory called <code>/opt/owncloud-install/</code> and in there I've got a subdirectory called <code>old-installs</code>. When a new ownCloud version comes out I cd into <code>/opt/owncloud-install/</code> wget the latest version and run <code>/opt/owncloud-install/upgrade.sh</code></p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># Stop Apache2 (not necessary, but it's a good idea)</span>
systemctl stop apache2.service
<span class="c1"># Backup config.php and data</span>
mv /var/www/owncloud/config/config.php /opt/owncloud-install/config.php
mv /var/www/owncloud/data /opt/owncloud-install/
<span class="c1"># Delete everything else</span>
rm -rf /var/www/owncloud/
<span class="c1"># Extract a fresh copy (the tar ball doesn't include a data and config.php)</span>
tar -xf owncloud-*.tar.bz2 -C /var/www/
<span class="c1"># Replace the backed up files</span>
mv /opt/owncloud-install/config.php /var/www/owncloud/config/
mv /opt/owncloud-install/data/ /var/www/owncloud/
<span class="c1"># Set ownership (the files in the tar ball are owned by nobody)</span>
chown -R www-data:www-data /var/www/owncloud/
<span class="c1"># Start Apache2 back up.</span>
systemctl start apache2.service
<span class="c1"># Achive install file</span>
mv owncloud-*.tar.bz2 old-installs/
</code></pre></div>
<p>After that you still need to visit your ownCloud home page and click through the database upgrades.</p>
<p>It's not the most robust script but it works well enough for me. I've been looking at <a href="https://nextcloud.com/">NextCloud</a>, I haven't made the switch yet but if they introduce an automatic update mechanism that would be a big enough draw card for me to change.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:downstream">
<p>Although even then you need some way to mark a new version and security fixes so the downstream can package them. <a class="footnote-backref" href="#fnref:downstream" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Calls from the bank2016-09-22T07:00:00+08:002016-09-22T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-09-22:/calls-from-the-bank.html<p>I bank with one of the <a href="https://en.wikipedia.org/wiki/Banking_in_Australia#Four_pillars">big four banks</a> in Australia I recently got a call, and it started off</p>
<p>"Hi I'm Taylor<sup id="fnref:Taylor"><a class="footnote-ref" href="#fn:Taylor">1</a></sup> I'm calling from {bank_name} and I'd like to talk to you about a letter you received from the bank recently"</p>
<p>I hadn't seen any letter but …</p><p>I bank with one of the <a href="https://en.wikipedia.org/wiki/Banking_in_Australia#Four_pillars">big four banks</a> in Australia I recently got a call, and it started off</p>
<p>"Hi I'm Taylor<sup id="fnref:Taylor"><a class="footnote-ref" href="#fn:Taylor">1</a></sup> I'm calling from {bank_name} and I'd like to talk to you about a letter you received from the bank recently"</p>
<p>I hadn't seen any letter but I've migrated all my bills to paperless and I on only check my snail mail once every week or two. I said so and the call continued.</p>
<p>"I apologizes for this but I need to let you know this call is being recorded for quality assurance purposes, and as I am accessing your profile I will need to verify your account, I'll need your full name including middle name, current address and date of birth."</p>
<p>At this point Taylor had provided me with no details to prove the call has come from the bank. The call had come from an odd number<sup id="fnref:odd-number"><a class="footnote-ref" href="#fn:odd-number">2</a></sup> and they were asking for personal information.</p>
<p>So I asked Taylor if I could call back to verify the call was from the bank and also asked for Taylor's last name. Taylor seemed genuinely surprised and almost a little offended that I didn't just trust that this mysterious call was from my bank. Taylor then told me that employees were not allowed to give out their last name for privacy reasons but suggested that I call back on the same number that I had in my caller ID. That number is not publicly available anywhere on the bank website. In fact when I Googled the number I found other people asking about the same number on the bank's forums with a moderator saying "I am unable to confirm whether this is a {bank_name} phone number;"</p>
<p>So I called the bank using the number on their contact us page and I was expecting to hear them say, "Yes it's a scam, it's been doing the rounds and we are doing our best to stop it but comes from outside Australia and it's hard to shutdown." Instead I spoke to Sandy<sup id="fnref:Sandy"><a class="footnote-ref" href="#fn:Sandy">3</a></sup> who actually laughed and also seemed very surprised that I'd though someone cold calling me and calming to be from a bank with about a 20% market share<sup id="fnref:market-share"><a class="footnote-ref" href="#fn:market-share">4</a></sup> might not be genuine.</p>
<p>As it turned out the call was genuine and they were trying to sell me a an "upgrade" on my mortgage.</p>
<p>I saw Tory Hunt <a href="https://www.troyhunt.com/this-is-your-bank-please-verify-your/">write about this</a> almost two years ago. I thought banks were getting on top of this sort of thing, and I thought my bank had a pretty good security team. I met a few people who claimed to be part of their security teem at <a href="https://ruxcon.org.au/">Ruxcon</a> and they seemed pretty switched on.</p>
<p>I guess this is the sort of thing a marketing manager might setup without really thinking about the security implications but it's almost training people to just accept cold calls and give out information. I'm amazed they don't get more people calling back to verify but it seemed like I was an anomaly.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:Taylor">
<p>I've changed the name. <a class="footnote-backref" href="#fnref:Taylor" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:odd-number">
<p>I'm aware that <a href="https://en.wikipedia.org/wiki/Caller_ID_spoofing">caller ID spoofing</a> is not that hard but it still, it was a number I didn't recognize. <a class="footnote-backref" href="#fnref:odd-number" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:Sandy">
<p>Again I've changed the name. <a class="footnote-backref" href="#fnref:Sandy" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:market-share">
<p>I've looked for a reliable source on banks market share and they all seem to differ a bit but it's generally about 20% to each of the big for banks and the remaining 20% split between all the small credit unions and little one branch banks. That combined with the fact that many people use more than one bank, I think if you called random Australian phone numbers you would have better than a 1 in 5 chance of finding someone who uses this bank. <a class="footnote-backref" href="#fnref:market-share" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>An excellent demonstration of Cross-Site Request Forgery2016-09-15T07:00:00+08:002016-09-15T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-09-15:/an-excellent-demonstration-of-cross-site-request-forgery.html<p>A few weeks ago one of the people I follow on <a href="https://github.com/">GitHub</a> stared the <a href="https://github.com/superlogout/superlogout.github.io">superlogout</a> repository.</p>
<p>Intrigued by the name I went to check it out and found a simple site that logs you out of a bunch of services. For those that want to try it, it's available at …</p><p>A few weeks ago one of the people I follow on <a href="https://github.com/">GitHub</a> stared the <a href="https://github.com/superlogout/superlogout.github.io">superlogout</a> repository.</p>
<p>Intrigued by the name I went to check it out and found a simple site that logs you out of a bunch of services. For those that want to try it, it's available at <a href="http://superlogout.github.io/">superlogout.github.io</a> the way it works is pretty straight forward, it uses JavaScript to GET a <a href="https://github.com/superlogout/superlogout.github.io/blob/559be9fe2bb427745e30863f0733cd508a12eb09/index.html#L230-L275">bunch of urls</a> that are the logout pages for services (or in the case of YouTube, DeviantART and LiveJournal it's a POST).</p>
<p>This an excellent demonstration of how <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet">Cross-Site Request Forgery</a> works. In this case it's made clear that they are logging you out of the service, but they don't have to show you. I could embed the same JavaScript in my site but not show anything, people would just be mysteriously logged out of their GMail after reading my blog. Further I could use that along with my analytics to record which services visitors were logged into when they visited.</p>
<p>Logging someone out is not that dangerous but it's easy to see what could be done without CSRF protection. If they could post to any page on those sites with JavaScript, they could buy things on Amazon, bid on auctions on eBay, send emails with GMail and so on.</p>
<p>It's not <a href="https://en.wikipedia.org/wiki/Poe%27s_law">entirely clear</a> to me whether this is a parody site showing the power of CSRF or if it's genuinely meant to be a service. But my feeling is that it's meant to poke fun at the insecurities, and demonstrate that CSRF protection is needed on all pages, including logout pages and not just on pages where you can post data.</p>Alternative Networks for this site - ZeroNet2016-09-08T07:00:00+08:002016-09-08T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-09-08:/alternative-networks-for-this-site-zeronet.html<p>Over the last couple of weeks I've published this site as an <a href="https://xo.tc/alternative-networks-for-this-site-i2p.html">I2P eepsite</a>, and as a <a href="https://xo.tc/alternative-networks-for-this-site-tor.html">Tor Hidden Service</a>. This week I'm announcing Exotic Security is now available as a <a href="https://zeronet.io/">ZeroNet</a> site.</p>
<p><a href="http://localhost:43110/19M77j42ddq7wgvZctRSxR8Dyq7De8SGYb">http://localhost:43110/19M77j42ddq7wgvZctRSxR8Dyq7De8SGYb</a></p>
<p>I think ZeroNet is the most conceptually different network I've looked at yet …</p><p>Over the last couple of weeks I've published this site as an <a href="https://xo.tc/alternative-networks-for-this-site-i2p.html">I2P eepsite</a>, and as a <a href="https://xo.tc/alternative-networks-for-this-site-tor.html">Tor Hidden Service</a>. This week I'm announcing Exotic Security is now available as a <a href="https://zeronet.io/">ZeroNet</a> site.</p>
<p><a href="http://localhost:43110/19M77j42ddq7wgvZctRSxR8Dyq7De8SGYb">http://localhost:43110/19M77j42ddq7wgvZctRSxR8Dyq7De8SGYb</a></p>
<p>I think ZeroNet is the most conceptually different network I've looked at yet. While all the other networks I've looked at have been the standard client server model, I think of ZeroNet more like a torrent file that contains a bunch of HTML pages. So you can get the files off a peer to peer network and when you view the site you're both the client and the server.</p>
<p>ZeroNet is designed to be censorship resistant in the same way that torrents are, but also like torrents it's not designed for privacy.</p>
<p>As far as I can tell there is no official way of running ZeroNet as a service. I understand that it's designed to be peer to peer so your site can still be served even if your host is offline, but I wanted to run it as a service so I know there is always at least one host seeding the latest version of my site.</p>
<p>These are my notes on installing ZeroNet on Debian Jessie. All commands run as root (with sudo).</p>
<div class="highlight"><pre><span></span><code>apt-get install python-msgpack python-gevent
git clone https://github.com/HelloZeroNet/ZeroNet.git /opt/zeronet
useradd --system --shell /usr/sbin/nologin --home-dir /opt/zeronet zeronet
chown -R zeronet:zeronet /opt/zeronet/
vim /etc/systemd/system/zeronet.service
</code></pre></div>
<p>zeronet.service copied from <a href="https://github.com/bloff/zeronet-installs/blob/master/Ubuntu%20Linux/install_zeronet.sh">Bruno Loff's Ubuntu Install</a></p>
<div class="highlight"><pre><span></span><code><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">Zeronet Server</span>
<span class="na">After</span><span class="o">=</span><span class="s">syslog.target</span>
<span class="na">After</span><span class="o">=</span><span class="s">network.target</span>
<span class="k">[Service]</span>
<span class="na">Type</span><span class="o">=</span><span class="s">simple</span>
<span class="na">User</span><span class="o">=</span><span class="s">zeronet</span>
<span class="na">Group</span><span class="o">=</span><span class="s">zeronet</span>
<span class="na">WorkingDirectory</span><span class="o">=</span><span class="s">/opt/zeronet</span>
<span class="na">ExecStart</span><span class="o">=</span><span class="s">/usr/bin/python zeronet.py</span>
<span class="c1"># Give a reasonable amount of time for the server to start up/shut down</span>
<span class="na">TimeoutSec</span><span class="o">=</span><span class="s">300</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">multi-user.target</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>systemctl start zeronet.service
systemctl enable zeronet.service
</code></pre></div>
<p>Getting a ZeroNet site up and running was pretty easy but I ran into some issues with my pelican site because I've been using root relative URLs but in ZeroNet my site is not running in the root of the server but instead under <code>/19M77j42ddq7wgvZctRSxR8Dyq7De8SGYb/</code> so I had to go back and look at the <a href="http://docs.getpelican.com/en/latest/content.html#linking-to-static-files">documentation</a> and update all the internal links in all my posts. After about half an hour with find and replace, grep and some regex I was in back in business.</p>Alternative Networks for this site - Tor2016-09-01T07:00:00+08:002016-09-01T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-09-01:/alternative-networks-for-this-site-tor.html<p>Last week I looked a few alternative censorship resistant networks and setup an <a href="https://xo.tc/alternative-networks-for-this-site-i2p.html">I2P eepsite</a>. This week I've made Exotic Security available as a <a href="https://www.torproject.org/">Tor hidden service</a>.</p>
<p><a href="http://exoticsecv6kd6fw.onion">http://exoticsecv6kd6fw.onion</a></p>
<p>I like vanity domain names so first I downloaded <a href="https://github.com/lachesis/scallion">Scallion</a> and generated an onion address that started with 'exoticsec'.</p>
<p>Scallion …</p><p>Last week I looked a few alternative censorship resistant networks and setup an <a href="https://xo.tc/alternative-networks-for-this-site-i2p.html">I2P eepsite</a>. This week I've made Exotic Security available as a <a href="https://www.torproject.org/">Tor hidden service</a>.</p>
<p><a href="http://exoticsecv6kd6fw.onion">http://exoticsecv6kd6fw.onion</a></p>
<p>I like vanity domain names so first I downloaded <a href="https://github.com/lachesis/scallion">Scallion</a> and generated an onion address that started with 'exoticsec'.</p>
<p>Scallion was very easy to use, just a simple git clone, xbuild and then</p>
<p><code>mono scallion.exe -c exoticsec</code></p>
<p>I was very impressed with how well it ran, my GPU a GeForce GTX 680 got 470 MH/s and found two names that matched in under 10 hours<sup id="fnref:10-hours"><a class="footnote-ref" href="#fn:10-hours">1</a></sup>.</p>
<p>I then installed Tor following their <a href="https://www.torproject.org/docs/debian.html.en">guide for Debian</a> and set it to run automatically <code>sudo systemctl enable tor.service</code></p>
<p>The I setup apache, I edited <code>/etc/apache2/ports.conf</code></p>
<div class="highlight"><pre><span></span><code># <span class="nv">Tor</span> <span class="nv">Hidden</span> <span class="nv">service</span>
# <span class="nv">Just</span> <span class="nv">a</span> <span class="k">random</span> <span class="nv">port</span> <span class="nv">number</span> <span class="nv">I</span> <span class="nv">generated</span>, <span class="nv">there</span> <span class="nv">is</span> <span class="nv">no</span> <span class="nv">significance</span> <span class="nv">to</span> <span class="nv">it</span>.
<span class="nv">Listen</span> <span class="mi">127</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">1</span>:<span class="mi">9625</span>
</code></pre></div>
<p>my sites-enabled</p>
<div class="highlight"><pre><span></span><code># Tor Hidden Service
<span class="nt"><VirtualHost</span> <span class="err">127.0.0.1:9625</span><span class="nt">></span>
# Host settings
ServerName exoticsecv6kd6fw.onion
ServerAdmin webmaster@xo.tc
DocumentRoot /var/www/tor-hidden-service
ErrorDocument 404 /pages/404-not-found.html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
# As we are hosting on localhost, by default the server-status and
# server-info pages are avalible.
<span class="nt"><Location</span> <span class="err">/server-status</span><span class="nt">></span>
Order allow,deny
Deny from all
<span class="nt"></Location></span>
<span class="nt"><Location</span> <span class="err">/server-info</span><span class="nt">></span>
Order allow,deny
Deny from all
<span class="nt"></Location></span>
ErrorLog <span class="cp">${</span><span class="n">APACHE_LOG_DIR</span><span class="cp">}</span>/error.log
CustomLog <span class="cp">${</span><span class="n">APACHE_LOG_DIR</span><span class="cp">}</span>/access.log combined
<span class="nt"></VirtualHost></span>
</code></pre></div>
<p>Then I edited <code>/etc/tor/torrc</code> and uncommented the two lines to enable a hidden service</p>
<div class="highlight"><pre><span></span><code><span class="n">HiddenServiceDir</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">tor</span><span class="o">/</span><span class="n">hidden_service</span><span class="o">/</span>
<span class="n">HiddenServicePort</span> <span class="mi">80</span> <span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">9625</span>
</code></pre></div>
<p>Restarted tor to create the HiddenServiceDir</p>
<p><code>systemctl restart tor.service</code></p>
<p>Then I replaced <code>/var/lib/tor/hidden_service/private_key</code> with the key I'd generate with Scallion and I was done.</p>
<p>I was surprised how easy it was to get up and running. Admittedly it might have been a bit more involved if I'd been trying to hide my identity, I probably would have used <a href="https://www.whonix.org/">Whonix</a> as the host instead but even so it was very easy to get up and going.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:10-hours">
<p>Although I'm pretty sure that was mostly luck, the predicted time for one hash that matched was a little over 10 hours. <a class="footnote-backref" href="#fnref:10-hours" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Alternative Networks for this site - I2P2016-08-25T07:00:00+08:002016-08-25T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-08-25:/alternative-networks-for-this-site-i2p.html<p>I've been very interested in all the different censorship resistant that seem to have sprung up over the last few years so I thought I'd have a look at hosting this site on them. It seems like the ideal site to try them out with because I use <a href="http://blog.getpelican.com/">pelican</a> to …</p><p>I've been very interested in all the different censorship resistant that seem to have sprung up over the last few years so I thought I'd have a look at hosting this site on them. It seems like the ideal site to try them out with because I use <a href="http://blog.getpelican.com/">pelican</a> to generate static html files and they should be fairly easy to host anywhere.</p>
<p>The some of the networks I've looked at recently are:</p>
<ul>
<li><a href="https://www.torproject.org/">Tor</a></li>
<li><a href="https://geti2p.net/en/">I2P</a></li>
<li><a href="http://zeronet.io/">ZeroNet</a></li>
<li><a href="https://people.csail.mit.edu/devadas/pubs/riffle.pdf">Riffle</a></li>
</ul>
<p>and this week I've started running Exotic Security as an I2P eepsite<sup id="fnref:eepsite"><a class="footnote-ref" href="#fn:eepsite">1</a></sup> it's now available at:</p>
<p><a href="http://xotc.i2p">http://xotc.i2p</a></p>
<p>or</p>
<p><a href="http://gqgvzum3xdgtaahkjfw3layb33vjrucmw5btyhrppm463cz3c5oq.b32.i2p/">http://gqgvzum3xdgtaahkjfw3layb33vjrucmw5btyhrppm463cz3c5oq.b32.i2p/</a></p>
<p>I've used I2P for a while now and it's fairly similar to its more popular cousin Tor although there are a few <a href="https://geti2p.net/en/comparison/tor">notable diffrences</a>. The ones that stand out for me are:</p>
<ul>
<li>I2P was designed was a global passive adversary in mind. Someone who can watch the whole network, every packet that goes in and every packet that comes out. So it uses tricks like constantly sending some amount of traffic, whether you're using it or not to thwart traffic flow analysis.</li>
<li>Unlike Tor who ask you not to torrent over their network I2P actually encourages torrents and has a a built in torrent engine called snark.</li>
</ul>
<p>Setting up an eepsite was fairly easy. I installed I2P simply following their <a href="https://geti2p.net/en/download/debian#debian">debian install guide</a>.</p>
<p>I decided to go with a site run by Apache and use I2P as a reverse proxy rather than use the built in web server.</p>
<p>I edited the ports that apache listens on <code>vim /etc/apache2/ports.conf</code></p>
<div class="highlight"><pre><span></span><code># I2P eepsite
Listen 127.0.0.1:7658
</code></pre></div>
<p>and added an entry in <code>/etc/apache2/sites-enabled/000-default.conf</code></p>
<div class="highlight"><pre><span></span><code><span class="nt"><VirtualHost</span> <span class="err">127.0.0.1:7658</span><span class="nt">></span>
# Host settings
ServerName xotc.i2p
ServerAdmin webmaster@xo.tc
DocumentRoot /var/www/eepsite
ErrorDocument 404 /pages/404-not-found.html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
# As we are hosting on localhost, by default the server-status and
# server-info pages are avalible.
<span class="nt"><Location</span> <span class="err">/server-status</span><span class="nt">></span>
Order allow,deny
Deny from all
<span class="nt"></Location></span>
<span class="nt"><Location</span> <span class="err">/server-info</span><span class="nt">></span>
Order allow,deny
Deny from all
<span class="nt"></Location></span>
ErrorLog <span class="cp">${</span><span class="n">APACHE_LOG_DIR</span><span class="cp">}</span>/error.log
CustomLog <span class="cp">${</span><span class="n">APACHE_LOG_DIR</span><span class="cp">}</span>/access.log combined
<span class="nt"></VirtualHost></span>
</code></pre></div>
<p>and in the router console under I2P internals > Hidden Service Manager I enabled the website.</p>
<p>I could have simply pointed I2P at the site already running on port 443 but Pelican uses absolute links, also I <a href="https://xo.tc/using-piwik-analytics.html">use</a> <a href="https://piwik.org/">Piwik analytics</a> which again points to a clear net site. So instead I've used pelican to generate a new site with the relative links and no analytics.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:eepsite">
<p>I have a feeling I saw somewhere that I2P were looking at moving away from the name 'eepsite' and moving to calling them 'Hidden Services' like Tor does, but now I can't find that anywhere so I'm sticking with eepsite. <a class="footnote-backref" href="#fnref:eepsite" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Fingerprint readers on phones2016-08-18T07:00:00+08:002016-08-18T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-08-18:/fingerprint-readers-on-phones.html<p>I can clearly remember my first reaction when I heard about fingerprint readers on phones. It was a stream of thoughts along the lines of "I bet that will be broken in an matter of days, biometrics are not ready for prime time", "You don't go around leaving a smudgy …</p><p>I can clearly remember my first reaction when I heard about fingerprint readers on phones. It was a stream of thoughts along the lines of "I bet that will be broken in an matter of days, biometrics are not ready for prime time", "You don't go around leaving a smudgy copy of your password on every glass you hold" and "You can change your password but good luck resetting your fingerprint after that gets compromised."</p>
<p>But I was falling into a trap that's all to common in information security<sup id="fnref:security"><a class="footnote-ref" href="#fn:security">1</a></sup> of rejecting an idea because it isn't perfect. When the question that I <a href="https://xo.tc/perfectly-good.html">should have been asking</a> isn't "Is it flawless?" but "Is it better than what we currently have?".</p>
<p>Shortly after my initial reaction I started thinking a little more deeply about the idea and I could think of a number of friends and family that didn't even use a pin on their phone because it was too much effort to unlock every time. I decided that if a fingerprint reader was significantly more <a href="https://xo.tc/avids-rule-of-usability.html">convenient</a> and if that was enough to get people to lock their phone then it would be a net win for security.</p>
<p>I recently bought a <a href="https://store.google.com/product/nexus_6p">Nexus 6P</a> and installed <a href="https://wiki.cyanogenmod.org/w/Angler_Info">CyanogenMod</a>. Now that I've got a fingerprint reader I think it's just brilliant. Previously I used a pattern to lock my screen and for my encryption key because it was quick and easy. Now I use a 16 character password<sup id="fnref:16-character-password"><a class="footnote-ref" href="#fn:16-character-password">2</a></sup> which is hard to type for the lock screen and encryption key. Then when I want to unlock it for every day use I just use my fingerprint.</p>
<p>I still need to enter my password to decrypt my phone if I reboot it. And every three days it <a href="https://github.com/android/platform_frameworks_base/blob/25b4d4b280c6aa07656328bd9dd90977781d00e1/packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java#L136-L140">times out</a> but because I don't have to enter it every single time I unlock it, it's not too much of a hassle so I don't mind having a longer and more secure password.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:security">
<p>It's not just an issue in InfoSec, comes up in all areas of life. <a class="footnote-backref" href="#fnref:security" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:16-character-password">
<p>I'd like to use a longer passphrase but unfortunately <a href="https://github.com/android/platform_packages_apps_settings/commit/70d5c3a0139899e5f4d425c8ab2d68f0dfc5c6da">16 character</a> is the <a href="https://code.google.com/p/android/issues/detail?id=52314">limit</a> for now. <a class="footnote-backref" href="#fnref:16-character-password" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>How often should you change your password?2016-08-11T07:00:00+08:002016-08-11T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-08-11:/how-often-should-you-change-your-password.html<p>There was an <a href="http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/">article</a> recently based on a <a href="https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf">2010 study</a> that suggested that frequent password changes actually negatively impact security.</p>
<p>I agree with the article but feel that some of the commentary could be a little more nuanced. The thrust of the article is that forcing regular password changes <a href="https://xo.tc/avids-rule-of-usability.html">irritates …</a></p><p>There was an <a href="http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/">article</a> recently based on a <a href="https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf">2010 study</a> that suggested that frequent password changes actually negatively impact security.</p>
<p>I agree with the article but feel that some of the commentary could be a little more nuanced. The thrust of the article is that forcing regular password changes <a href="https://xo.tc/avids-rule-of-usability.html">irritates users</a> and they turn to patterns like adding a number on the end and just incrementing it. I've seen my share of users who will happily announce to the world that their password is 'August2016' without being asked.</p>
<p>If MySpace forced passwords to expire every 30 days and you found 'March2008' in the recent <a href="https://haveibeenpwned.com/PwnedWebsites#MySpace">MySpace</a> breach, it wouldn't take a genius to work out what was next.</p>
<p>On the other hand, occasional password changes do have their place. Should MySpace wait until there is public evidence of a breach to force a reset? What about other organisations like <a href="http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/">Facebook and Netflix</a> who reset passwords of users because they had reused passwords their MySpace password? There are a lot of ifs here;</p>
<ul>
<li>If MySpace had used a secure hash like <a href="https://en.wikipedia.org/wiki/PBKDF2">PBKDF2</a> or <a href="https://en.wikipedia.org/wiki/Bcrypt">bcrypt</a> then all but the weakest of passwords would be secure and;</li>
<li>If users picked passwords with a significant amount of entropy they wouldn't be cracked even if MySpace just used md5 and;</li>
<li>If users didn't reuse passwords across sites it wouldn't be an issue for other site anyway and;</li>
<li>If ...</li>
</ul>
<p>Our natural response as security professionals is to try to <em>force</em> people to use good password hygiene so we resort to things like password expiry dates and complexity requirements that actually restrict the number of available passwords.</p>
<p>We should look at ways to <em>encourage</em> good password hygiene, sign up forms can offer the option to generate a password<sup id="fnref:generate"><a class="footnote-ref" href="#fn:generate">1</a></sup> and a button to copy it into the clipboard so users can use a password manager. Maybe organisations should include tools like <a href="http://keepass.info/">KeePass</a> as part of the standard operating environment and make them available on all desktops.</p>
<p>In the future we need to move to things like two factor authentication with a <a href="https://www.nitrokey.com/">hardware</a> <a href="https://www.yubico.com/">device</a> and reduce our reliance on passwords.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:generate">
<p>My preferred method of generating passwords is <code>dd if=/dev/random bs=1 count=18 2>/dev/null | base64</code>. I haven't looked into this at all, but I'm sure there would be a secure way to do the equivalent of that in client side JavaScript. <a class="footnote-backref" href="#fnref:generate" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Kerckhoffs's principle2016-08-04T07:00:00+08:002016-08-04T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-08-04:/kerckhoffss-principle.html<p>One of the security tenants that I live by is <a href="https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle">Kerckhoffs's principle</a>.</p>
<blockquote>
<p>A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.</p>
<p>-- Auguste Kerckhoffs, 1883</p>
</blockquote>
<p>It's beautiful in it's simplicity and yet counter intuitive.</p>
<p>It's a beguiling myth that if you want to …</p><p>One of the security tenants that I live by is <a href="https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle">Kerckhoffs's principle</a>.</p>
<blockquote>
<p>A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.</p>
<p>-- Auguste Kerckhoffs, 1883</p>
</blockquote>
<p>It's beautiful in it's simplicity and yet counter intuitive.</p>
<p>It's a beguiling myth that if you want to make a system secure you should make it secret. Hundreds of years of experience have thought us that for a system to be truly robust it needs to be open and auditable.</p>
<p>Kerckhoffs's principle is applicable to so much more than just cryptography. I think it needs to be much broader, and apply to any system designed to provide security.</p>
<blockquote>
<p>A security system should be secure even if everything about the system, except the key, is public knowledge.</p>
</blockquote>
<p>I recently spent a little time looking at physical security controls, things like security cameras and digital locks (RFID cards). It makes my blood boil when I see how much vendors try to restrict information and refuse to publish even a basic manual.</p>
<p>Especially as often once someone takes a good look their products turn out to be <a href="http://demoseen.com/bhpaper.html">riddled</a> <a href="http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/">with</a> <a href="https://en.wikipedia.org/wiki/MIFARE#Security_of_MIFARE_Classic.2C_MIFARE_DESFire_and_MIFARE_Ultralight">vulnerabilities</a>. Then rather than fix the vulnerabilities vendors try to use things like the Digital Millennium Copyright Act (DMCA) to <a href="http://blog.cryptographyengineering.com/2016/07/statement-on-dmca-lawsuit.html">silence security researchers</a> and prevent the information spreading.</p>Updating UEFI BIOS on Lenovo ThinkPad X2202016-07-28T07:00:00+08:002016-07-28T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-07-28:/updating-uefi-bios-on-lenovo-thinkpad-x220.html<p>I've got a ThinkPad X220 and I've been a bit lax about patching the UEFI/BIOS. But recently this <a href="https://support.lenovo.com/au/en/product_security/smm_attack">SMM "Incursion" Attack</a> has been getting a bit of publicity and it's spurred me to try to patch it. It's worth noting that this bug is not specific to Lenovo, but …</p><p>I've got a ThinkPad X220 and I've been a bit lax about patching the UEFI/BIOS. But recently this <a href="https://support.lenovo.com/au/en/product_security/smm_attack">SMM "Incursion" Attack</a> has been getting a bit of publicity and it's spurred me to try to patch it. It's worth noting that this bug is not specific to Lenovo, but something that affects most vendors of Intel based hardware. For those interested some of the best coverage I've found was from a recent <a href="http://risky.biz/RB417">risky business</a> podcast<sup id="fnref:podcast"><a class="footnote-ref" href="#fn:podcast">1</a></sup>.</p>
<p>Unfortunately Lenovo don't provide a way to upgrade the BIOS from Linux. While the ThinkPad X220 is officially supported with Linux (RedHat and Fedora) the only BIOS update utility they provide is for Windows.</p>
<p>I went on to the <a href="http://support.lenovo.com/au/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x220/">Lenovo support site</a> and for the BIOS update, under Operating system I picked "Not Applicable" a few patches BIOS and Firmware patches came up but all of them were .exe files.</p>
<p>After a long time of searching I found that they do provide a .iso file of a bootable CD to patch your BIOS but you have to pick Windows as the operating system to find it. I have no idea why they think that .exe files are "Not Applicable" but an iso is a Windows specific option but maybe they didn't put much thought into it.</p>
<p>Now that I had an iso I was half way there, but the ThinkPad X series don't have an optical drive and simply dd'ing the image onto a flash drive didn't work.</p>
<p>I found some instructions on <a href="http://www.thinkwiki.org/wiki/BIOS_Upgrade#Using_UEFI">ThinkWiki</a> with a link to a <a href="https://userpages.uni-koblenz.de/~krienke/ftp/noarch/geteltorito/">perl script</a> that could create a bootable image.</p>
<p>I copied the image onto a flash drive but when I tried to boot it failed, after a bit of experimentation I found that the instructions on ThinkWiki were not quite right, they recommended setting the boot to UEFI only but I found that I needed to use Legacy BIOS to boot the flash drive.</p>
<p>After that I was able to boot the drive and update my BIOS.</p>
<h2>Final steps</h2>
<p>So in summary the steps that finally worked were:</p>
<ol>
<li>Download the <a href="http://support.lenovo.com/au/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x220/downloads/DS018807">iso file.</a></li>
<li>Convert the iso file to a bootable image.<ol>
<li><code>wget https://userpages.uni-koblenz.de/~krienke/ftp/noarch/geteltorito/geteltorito.pl</code></li>
<li><code>perl geteltorito.pl -o ThinkPad-x220-bios-update.img 8duj27us.iso</code></li>
</ol>
</li>
<li>Copy the image onto a flash drive<ol>
<li>Check the name of your flash drive first! <code>dd if=ThinkPad-x220-bios-update.img of=/dev/sdb</code></li>
</ol>
</li>
<li>Set boot to "Both" Legacy and UEFI<ol>
<li>Reboot, pressing F1 while booting to enter setup</li>
<li>Go to Setup > UEFI/Legacy Boot > Both</li>
<li>F10 to save and exit</li>
</ol>
</li>
<li>Boot the flash drive<ol>
<li>Press F12 while booting to and select your flash drive.</li>
</ol>
</li>
</ol>
<p>Follow the prompts to upgrade your UEFI/BIOS and your done.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:podcast">
<p>Risky Business #417 from 14:20 to 18:00 <a class="footnote-backref" href="#fnref:podcast" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Setting Up Full Disk Encryption on Arch Linux2016-07-21T07:00:00+08:002016-07-21T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-07-21:/setting-up-full-disk-encryption-on-arch-linux.html<p>I recently switched my laptop over from <a href="https://wiki.debian.org/DebianStretch">Debian Stretch</a> to <a href="https://www.archlinux.org/">Arch Linux</a>.</p>
<p>Debian is still my go to distribution for any server, but I felt like I was in a bit of a no man's land with my laptop. Debian stable (currently Jessie) is rock solid and reliable but I …</p><p>I recently switched my laptop over from <a href="https://wiki.debian.org/DebianStretch">Debian Stretch</a> to <a href="https://www.archlinux.org/">Arch Linux</a>.</p>
<p>Debian is still my go to distribution for any server, but I felt like I was in a bit of a no man's land with my laptop. Debian stable (currently Jessie) is rock solid and reliable but I want to install new packages, like the latest version of Firefox. Debian testing and unstable (Stretch and Sid) are well ... unstable, and you really can't complain when things break<sup id="fnref:complain"><a class="footnote-ref" href="#fn:complain">1</a></sup>.</p>
<p>I've been using Arch Linux on my desktop for a while and for a bleeding edge distribution it's surprisingly stable<sup id="fnref:surprisingly-stable"><a class="footnote-ref" href="#fn:surprisingly-stable">2</a></sup>.</p>
<p>These my notes on <a href="https://wiki.archlinux.org/index.php/Installation_guide">installing Arch Linux</a> on my laptop with Full Disk Encryption. As I noted in my post on <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html">Setting Up Full Disk Encryption on Debian Jessie</a> it's not really "Full" disk encryption, there is still a small partition <code>/boot</code> that's unencrypted and will contain the kernel and <a href="https://en.wikipedia.org/wiki/Initramfs">initramfs</a>.</p>
<h2>Download</h2>
<p>First I <a href="https://www.archlinux.org/download/">downloaded</a> the latest Arch Linux iso, verified it, and copied it to a USB flash drive.</p>
<div class="highlight"><pre><span></span><code><span class="nv">gpg</span> <span class="o">--</span><span class="nv">recv</span><span class="o">-</span><span class="nv">keys</span> <span class="mi">0</span><span class="nv">x7f2d434b9741e8ac</span>
<span class="nv">gpg</span> <span class="o">--</span><span class="nv">verify</span> <span class="nv">archlinux</span><span class="o">-</span><span class="mi">2016</span>.<span class="mi">07</span>.<span class="mi">01</span><span class="o">-</span><span class="nv">dual</span>.<span class="nv">iso</span>.<span class="nv">sig</span>
<span class="nv">dd</span> <span class="k">if</span><span class="o">=</span><span class="nv">archlinux</span><span class="o">-</span><span class="mi">2016</span>.<span class="mi">07</span>.<span class="mi">01</span><span class="o">-</span><span class="nv">dual</span>.<span class="nv">iso</span> <span class="nv">of</span><span class="o">=/</span><span class="nv">dev</span><span class="o">/</span><span class="nv">sdb</span>
</code></pre></div>
<h2>Install</h2>
<p>Then I booted the USB drive and, updated the time, because that's what it says in the documentation and it's a good idea.</p>
<div class="highlight"><pre><span></span><code>timedatectl set-ntp true
</code></pre></div>
<p>I created 3 partitions on my hard drive an 80GB SSD:</p>
<ol>
<li>512MB FAT32 partition to boot from.</li>
<li>A big partition to be used as the root.</li>
<li>A 4GB partition for swap space.</li>
</ol>
<div class="highlight"><pre><span></span><code>parted /dev/sda
> mklabel gpt
> mkpart ESP fat32 1MiB 513MiB
> set 1 boot on
> mkpart primary 513MiB -4G
> mkpart primary 76GB 100%
</code></pre></div>
<p>I setup a LUKs volume on the second partition, formated it to btrfs then mounted it to <code>/mnt/</code> and mounted the FAT32 volume to <code>/mnt/boot</code></p>
<div class="highlight"><pre><span></span><code>cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 arch_root
mkfs.btrfs /dev/mapper/arch_root
mount /dev/mapper/arch_root /mtn/
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
</code></pre></div>
<p>I updated the mirrors list and installed Arch Linux following the install guide and installed vim<sup id="fnref:vim"><a class="footnote-ref" href="#fn:vim">3</a></sup> and added a host name.</p>
<div class="highlight"><pre><span></span><code>vim /etc/pacman.d/mirrorlist
pacstrap /mnt base
genfstab -p /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -s /usr/share/zoneinfo/Australia/Perth /etc/localtime
nano /etc/locale.gen
locale-gen
nano /etc/locale.conf
# LANG=en_AU.UTF-8
pacman -S vim
vim /etc/hostname
</code></pre></div>
<p>I edited <code>/etc/mkinitcpio.conf</code> to add <code>encrypt</code> after <code>udev</code> on line 51 and then created my initramfs</p>
<div class="highlight"><pre><span></span><code>vim /etc/mkinitcpio.conf
# HOOKS="base udev encrypt autodetect modconf block filesystems keyboard fsck"
mkinitcpio -p linux
</code></pre></div>
<p>Next I used <a href="https://wiki.archlinux.org/index.php/EFISTUB#efibootmgr">efibootmgr</a> to add an entry into my EFI boot options to boot the Linux kernel directly rather than using a boot loader like GRUB which then boots the kernel.</p>
<p>I think this is an extremely elegant solution as it means I end up with only 3 files in my <code>/boot/</code> volume: The kernel, The initramfs, and a fallback initramfs (which isn't really necessary). It's much neater than a bunch of GRUB scripts and config files.</p>
<div class="highlight"><pre><span></span><code>pacman -S efibootmgr
efibootmgr -d /dev/sda -p 1 -c -L "Arch Linux" -l /vmlinuz-linux -u "cryptdevice=/dev/sda2:arch_root root=/dev/mapper/archroot rw initrd=/initramfs-linux.img"
</code></pre></div>
<p>Next I added a user and setup sudo so they could become root.</p>
<div class="highlight"><pre><span></span><code>useradd michael --create-home --groups wheel
passwd michael
pacman -S sudo
visudo
# Uncomment line 82. %wheel ALL=(ALL) ALL
</code></pre></div>
<p>Lastly I setup my swap partition to be a LUKs volume with a random key.</p>
<div class="highlight"><pre><span></span><code>vim /etc/crypttab
# arch_swap /dev/sda3 /dev/urandom swap
vim /etc/fstab
# /dev/mapper/arch_swap none swap sw 0 0
</code></pre></div>
<p>I exited the chroot and rebooted.</p>
<div class="highlight"><pre><span></span><code><span class="k">exit</span>
<span class="nv">reboot</span>
</code></pre></div>
<h2>Post install</h2>
<p>I installed KDE because that's my desktop of choice but the lovely thing about Arch Linux is you can make it almost anything you want.</p>
<div class="highlight"><pre><span></span><code># Logged in as Michael, but run as root
dhcpcd enp0s25
pacman -S xorg-server
pacman -S plasma-meta
pacman -S kde-applications-meta
pacann -S sddm
systemctl enable sddm.service
systemctl enable NetworkManager.service
</code></pre></div>
<p>Added the track pad driver</p>
<div class="highlight"><pre><span></span><code>pacman -S xf86-input-synaptics
</code></pre></div>
<p>Set time to NTP, I would have though this would be done automatically because I'd synced the time when I started the installer, but apparently not.</p>
<div class="highlight"><pre><span></span><code>timedatectl set-ntp true
</code></pre></div>
<p>And set the KDE Wallet to <a href="https://wiki.archlinux.org/index.php/KDE_Wallet#Unlock_KDE_Wallet_automatically_on_login">automatically unlock</a> with my user password. This is a slight trade off in security because with the default setup I could have two different passwords, or I could login but choose not to unlock the wallet. But in this case I've decided to go with it because it's much more convenient and secure enough.</p>
<div class="highlight"><pre><span></span><code>sudo pacman -S kwallet-pam
vim /etc/pam.d/sddm
</code></pre></div>
<p>My sddm file</p>
<div class="highlight"><pre><span></span><code>#<span class="o">%</span><span class="nv">PAM</span><span class="o">-</span><span class="mi">1</span>.<span class="mi">0</span>
<span class="nv">auth</span> <span class="k">include</span> <span class="nv">system</span><span class="o">-</span><span class="nv">login</span>
<span class="nv">auth</span> <span class="nv">optional</span> <span class="nv">pam_kwallet5</span>.<span class="nv">so</span>
<span class="nv">auth</span> <span class="nv">optional</span> <span class="nv">pam_kwallet</span>.<span class="nv">so</span> <span class="nv">kdehome</span><span class="o">=</span>.<span class="nv">kde4</span>
<span class="nv">account</span> <span class="k">include</span> <span class="nv">system</span><span class="o">-</span><span class="nv">login</span>
<span class="nv">password</span> <span class="k">include</span> <span class="nv">system</span><span class="o">-</span><span class="nv">login</span>
<span class="nv">session</span> <span class="k">include</span> <span class="nv">system</span><span class="o">-</span><span class="nv">login</span>
<span class="nv">session</span> <span class="nv">optional</span> <span class="nv">pam_kwallet5</span>.<span class="nv">so</span>
<span class="nv">session</span> <span class="nv">optional</span> <span class="nv">pam_kwallet</span>.<span class="nv">so</span>
</code></pre></div>
<div class="footnote">
<hr>
<ol>
<li id="fn:complain">
<p>You can't complain but you can file bug reports, which is helpful to the Debian maintainers. <a class="footnote-backref" href="#fnref:complain" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:surprisingly-stable">
<p>Things still break in new and interesting ways on Arch Linux, just less often than I would expect for the rate of package churn. <a class="footnote-backref" href="#fnref:surprisingly-stable" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:vim">
<p>Vim is included in the installer .iso file, so you can use it while your installing, but it's not part of the base packages so once you run <code>arch-chroot</code> you can't use it until you install it <code>pacman -S vim</code> <a class="footnote-backref" href="#fnref:vim" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>StartSSL launches StartEncrypt2016-07-14T07:00:00+08:002016-07-14T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-07-14:/startssl-launches-startencrypt.html<p>Let's Encrypt has been shaking things up in the Certification Authority world. Let's Encrypt certificates are free, automated and easy to install. They have been gaining market share like crazy. Some CA's have reacted to their loss of market share in <a href="https://letsencrypt.org/2016/06/23/defending-our-brand.html">interesting ways</a>.</p>
<p>Let's Encrypt are not <a href="https://xo.tc/perfectly-good.html">perfict, but they …</a></p><p>Let's Encrypt has been shaking things up in the Certification Authority world. Let's Encrypt certificates are free, automated and easy to install. They have been gaining market share like crazy. Some CA's have reacted to their loss of market share in <a href="https://letsencrypt.org/2016/06/23/defending-our-brand.html">interesting ways</a>.</p>
<p>Let's Encrypt are not <a href="https://xo.tc/perfectly-good.html">perfict, but they are good</a> and they are available <em>now</em> rather than spending another 6 years in development trying to achieve perfection.</p>
<p>They have some notable (and largely intentional) limitations:</p>
<ul>
<li>They don't do Extended Validation certificates.</li>
<li>They don't do wildcard certificates.</li>
<li>They don't issue certificates for internal servers can't be accessed from the internet<sup id="fnref:internal"><a class="footnote-ref" href="#fn:internal">1</a></sup>.</li>
<li>They don't issue client certificates to be used for things like S/MIME.</li>
<li>Certificates are limited to 90 days.</li>
</ul>
<p>These limitations mean that Let's encrypt is only useful about 99% of the time<sup id="fnref:99-percent-of-the-time"><a class="footnote-ref" href="#fn:99-percent-of-the-time">2</a></sup>.</p>
<p>One thing Let's Encrypt was meant to do was make other Certification Authorities innovate, and <a href="https://www.startcom.org/">StartCom</a> have done that. In my opinion they were already one of the innovators in the field. They were giving away free domain validated SSL Certificates and for Extended Validation you could validate once and then get an unlimited number EV of certificates. In other words they were only charging you for things that were not automated which in itself was pretty revolutionary. Their validation process was pretty rigorous and while parts of their UI felt a little clunky it all worked pretty well.</p>
<p>Now they have released <a href="https://startssl.com/StartEncrypt">StartEncrypt</a> which is clearly designed to go head to head with Let's Encrypt, from their announcement email:</p>
<blockquote>
<p>Compare with Let’s Encrypt, StartEncrypt support Windows and Linux server for most popular web server software, and have many incomparable advantages as:</p>
<p>(1) Not just get the SSL certificate automatically, but install it automatically;</p>
<p>(2) Not just Encrypted, but also identity validated to display EV Green Bar and OV organization name in the certificate;</p>
<p>(3) Not just 90 days period certificate, but up to 39 months, more than 1180 days;</p>
<p>(4) Not just low assurance DV SSL certificate, but also high assurance OV SSL certificate and green bar EV SSL certificate;</p>
<p>(5) Not just for one domain, but up to 120 domains with wildcard support;</p>
<p>(6) All OV SSL certificate and EV SSL certificate are free, just make sure your StartSSL account is verified as Class 3 or Class 4 identity.</p>
</blockquote>
<p>I don't think their points are worded particularly well; The first point implies that Let's Encrypt can't install certificates, but Let's Encrypt can automatically install certificates for Apache. The second and fourth points are basically the same. And the fifth point implies that Let's Encrypt can't handle multiple domain names, but it can have up to <a href="https://community.letsencrypt.org/t/maximum-number-of-sites-on-one-certificate/10634/3?u=xotc">100 domain names per certificate</a>, although as said above it won't do wildcards.</p>
<p>Unfortunately the StartEncrypt client appears to be a closed source binary which is a serious problem for a lot of people. I'll admit that I've not read more than a few hundred lines of the <a href="https://github.com/certbot/certbot">Certbot's source code</a> but it's a huge comfort to know that I can if I want to. Also the documentation is fairly thin on the ground, if you download the <a href="https://download.startpki.com/startcom/linux/StartEncrypt-x64.tar.gz">install file</a> there is an <a href="https://xo.tc/StartEncrypt-Operation-Manual-V3-Linux.pdf">Operating Manual</a> in the doc directory but it's not especially detailed.</p>
<p>If running a closed source binary is not your thing they also have an API, unfortunately at the time of this writing to access the <a href="https://startssl.com/StartAPI/Docs">documentation for the API</a> you need to be signed in. From a quick reading it looks to be a fairly simple REST API that you could use to write your own client.</p>
<p>Even though I'll probably be sticking with Let's Encrypt for most things, I think it's great to see some competition.</p>
<p>Also I know StartCom have copped some flack in the past because they gave out free certificates but changed to $25 revoke them. But I think their pricing is reasonable, they charge for manual processes, revocation was a manual process when heartbleed happened so they charged for it. Similarly they offer unlimited free Extended Validation certificates <em>after</em> you have been validated. Validation costs $199 USD. Some people complain that validation isn't free and so EV certificates should not be advertised as free which is fair, but they are fairly upfront about that. And validation it's a real human process, they look at scanned copies of your passport, they call you up on the phone, they require proof that you represent the organization you say that you do none of that is automated.</p>
<p>Another poignant comic by the folks over at <a href="http://www.commitstrip.com">commitStrip</a></p>
<p><a href="http://www.commitstrip.com/en/2016/06/13/the-end-of-an-expensive-era/"><img alt="The end of an expensive era" src="https://xo.tc/images/Strip-The-end-of-an-expensive-era-650-final.jpg"></a></p>
<div class="footnote">
<hr>
<ol>
<li id="fn:internal">
<p>I know there are a number of ways you can get a certificate for an internal server, but the design of Let's encrypt is clearly aimed at servers they can directly validate with ACME. <a class="footnote-backref" href="#fnref:internal" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:99-percent-of-the-time">
<p>I don't have a source for that, in fact I just made it up. It might be a fun project for someone to run through certificate transparency logs like <a href="https://crt.sh/">crt.sh</a> and find out what percentage of certificates issued are just standard dv certs. If anyone does that please let me know. <a class="footnote-backref" href="#fnref:99-percent-of-the-time" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:head-to-head">
<p>On their announcement email they directly compare StartEncrypt with Let’s Encrypt <a class="footnote-backref" href="#fnref:head-to-head" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Setting up Gogs on Debian Jessie with Apache2 and PostgreSQL2016-07-07T07:00:00+08:002016-07-07T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-07-07:/setting-up-gogs-on-debian-jessie-with-apache2-and-postgresql.html<p>These are my notes from setting up <a href="https://gogs.io/">Gogs</a> on Debian 8 Jessie with Apache2 and PostgreSQL.</p>
<p>This guide assumes you have a fresh copy of Debian Jessie and it's up to date <code>sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get autoremove</code>.</p>
<h2>Firewall</h2>
<p>On my server access to all ports except …</p><p>These are my notes from setting up <a href="https://gogs.io/">Gogs</a> on Debian 8 Jessie with Apache2 and PostgreSQL.</p>
<p>This guide assumes you have a fresh copy of Debian Jessie and it's up to date <code>sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get autoremove</code>.</p>
<h2>Firewall</h2>
<p>On my server access to all ports except 22, 80 and 443 are blocked by an external firewall. If you don't have this I'd recommend setting up iptables to block public access to port 3000 but that is beyond the scope of this post.</p>
<h2>Install the prerequisites</h2>
<div class="highlight"><pre><span></span><code>sudo apt-get install apache2 git postgresql
</code></pre></div>
<h2>Add a user for the service to run as</h2>
<div class="highlight"><pre><span></span><code>sudo useradd --system --home-dir /home/git --create-home git
</code></pre></div>
<h2>create a log directory for gogs</h2>
<div class="highlight"><pre><span></span><code>sudo mkdir /var/log/gogs
sudo mkdir /opt/gogs
sudo chown git:git /var/log/gogs/
</code></pre></div>
<h2>Create a PostgreSQL database</h2>
<div class="highlight"><pre><span></span><code><span class="c1"># Generate a password</span>
dd <span class="k">if</span><span class="o">=</span>/dev/random <span class="nv">bs</span><span class="o">=</span><span class="m">1</span> <span class="nv">count</span><span class="o">=</span><span class="m">18</span> <span class="m">2</span>>/dev/null <span class="p">|</span> base64
<span class="c1"># Connect to psql</span>
sudo su postgres -c psql
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">USER</span> <span class="n">gogs_user</span> <span class="k">WITH</span> <span class="n">PASSWORD</span> <span class="s1">'HNefjrdVmVQdzU4Ssso0FMCt'</span><span class="p">;</span>
<span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">gogs_db</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">PRIVILEGES</span> <span class="k">ON</span> <span class="k">DATABASE</span> <span class="n">gogs_db</span> <span class="k">to</span> <span class="n">gogs_user</span><span class="p">;</span>
<span class="err">\</span><span class="n">q</span>
</code></pre></div>
<h2>Download gogs</h2>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span> /opt/gogs/
<span class="c1"># This will obviously need to be updated to the latest version</span>
sudo wget https://cdn.gogs.io/gogs_v0.9.13_linux_amd64.tar.gz
sudo tar xzfv gogs_v0.9.13_linux_amd64.tar.gz
sudo rm gogs_v0.9.13_linux_amd64.tar.gz
sudo chown -R git:git /opt/gogs
</code></pre></div>
<h2>Make it a service</h2>
<p>Copy the systmed template and edit it</p>
<div class="highlight"><pre><span></span><code>sudo cp /opt/gogs/gogs/scripts/systemd/gogs.service /etc/systemd/system/gogs.service
sudo vim /etc/systemd/system/gogs.service
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">Gogs (Go Git Service)</span>
<span class="na">After</span><span class="o">=</span><span class="s">syslog.target</span>
<span class="na">After</span><span class="o">=</span><span class="s">network.target</span>
<span class="c1">#After=mysqld.service</span>
<span class="na">After</span><span class="o">=</span><span class="s">postgresql.service</span>
<span class="c1">#After=memcached.service</span>
<span class="c1">#After=redis.service</span>
<span class="k">[Service]</span>
<span class="c1"># Modify these two values and uncomment them if you have</span>
<span class="c1"># repos with lots of files and get an HTTP error 500 because</span>
<span class="c1"># of that</span>
<span class="c1">###</span>
<span class="c1">#LimitMEMLOCK=infinity</span>
<span class="c1">#LimitNOFILE=65535</span>
<span class="na">Type</span><span class="o">=</span><span class="s">simple</span>
<span class="na">User</span><span class="o">=</span><span class="s">git</span>
<span class="na">Group</span><span class="o">=</span><span class="s">git</span>
<span class="na">WorkingDirectory</span><span class="o">=</span><span class="s">/opt/gogs/gogs</span>
<span class="na">ExecStart</span><span class="o">=</span><span class="s">/opt/gogs/gogs/gogs web</span>
<span class="na">Restart</span><span class="o">=</span><span class="s">always</span>
<span class="na">Environment</span><span class="o">=</span><span class="s">USER=git HOME=/home/git</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">multi-user.target</span>
</code></pre></div>
<p>And start the service</p>
<div class="highlight"><pre><span></span><code>sudo systemctl <span class="nb">enable</span> gogs <span class="o">&&</span> sudo systemctl start gogs
</code></pre></div>
<h2>Install the gogs server</h2>
<p>If you're doing this locally you can just browse to <a href="http://localhost:3000">http://localhost:3000</a>. In my case I've SSHed into the server and I'm forwarding the port <code>ssh -L 3000:localhost:3000 gogs-server.example.com</code></p>
<ul>
<li>Change the Database Type to PostgreSQL</li>
<li>Change the User to gogs_user</li>
<li>Change the password to the one you set earlier</li>
<li>Change the Database Name to gogs_db</li>
<li>Change the Repository Root Path to /opt/gogs/</li>
<li>Change the domain to the address of your server</li>
<li>Change the application url to include https and the address of your server</li>
<li>Change the log path to /var/log/gogs</li>
</ul>
<p>The rest of the defaults are fine for now.</p>
<p><img alt="Gogs install page" src="https://xo.tc/images/gogs-install-page.png"></p>
<p>You should also create an account now, as the first account created will become the admin account.</p>
<h2>Setup Apache</h2>
<p>First we want to secure our connections</p>
<h3>Let's Encrypt</h3>
<div class="highlight"><pre><span></span><code>cd
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto --apache -d gogs-server.example.com
</code></pre></div>
<h3>Apache Proxy</h3>
<div class="highlight"><pre><span></span><code>sudo vim /etc/apache2/sites-enabled/000-default-le-ssl.conf
</code></pre></div>
<p>Under VirtualHost add</p>
<div class="highlight"><pre><span></span><code><span class="nt"><Proxy</span> <span class="err">*</span><span class="nt">></span>
Order allow,deny
Allow from all
<span class="nt"></Proxy></span>
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
</code></pre></div>
<p>or in my case I've got a few other services running on this host so I've done</p>
<div class="highlight"><pre><span></span><code>################################################################################
# Gogs
################################################################################
<span class="nt"><Proxy</span> <span class="err">/gogs</span><span class="nt">></span>
Order allow,deny
Allow from all
<span class="nt"></Proxy></span>
ProxyPass /gogs http://127.0.0.1:3000
ProxyPassReverse /gogs http://127.0.0.1:3000
</code></pre></div>
<p>I was having all soughts of problems with gogs login page giving a 404 error until I found an <a href="https://github.com/gogits/gogs/issues/1202">issue</a> on GitHub and then I removed the trailing <code>/</code> for the proxy pass command (it was <code>ProxyPass /gogs http://127.0.0.1:3000/</code>) and that fixed it.</p>Setting up FreeRADIUS to secure your WiFi2016-06-30T07:00:00+08:002016-06-30T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-06-30:/setting-up-freeradius-to-secure-your-wifi.html<p>This is the last in a three part series of posts on; <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">Setting up a personal Certification Authority</a>, <a href="https://xo.tc/securing-apache-with-client-certificates.html">Securing Apache with Client Certificates</a>, and <a href="https://xo.tc/setting-up-freeradius-to-secure-your-wifi.html">Setting up FreeRADIUS to secure your WiFi</a>.</p>
<p>If you have followed the <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">first tutorial</a> you should have a .pem encoded Certification Authority Certificate and a .p12 …</p><p>This is the last in a three part series of posts on; <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">Setting up a personal Certification Authority</a>, <a href="https://xo.tc/securing-apache-with-client-certificates.html">Securing Apache with Client Certificates</a>, and <a href="https://xo.tc/setting-up-freeradius-to-secure-your-wifi.html">Setting up FreeRADIUS to secure your WiFi</a>.</p>
<p>If you have followed the <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">first tutorial</a> you should have a .pem encoded Certification Authority Certificate and a .p12 encoded client certificate with a key.</p>
<h2>Server Certificate</h2>
<p>We will also need a server certificate for the RADIUS server, so let's open TinyCA and create one.</p>
<p>Create a new certificate request.
<img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-1.png"></p>
<p>This time for a server certificate so for example <code>radius.xo.tc</code>
<img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-2.png"></p>
<p>Sign the request
<img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-3.png"></p>
<p>as a server certificate
<img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-4.png"></p>
<p><img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-5.png"></p>
<p><img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-6.png"></p>
<p>Now export the certificate
<img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-7.png"></p>
<p>I prefer to export the certificate and the key separately.
<img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-8.png"></p>
<p><img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-9.png"></p>
<p><img alt="FreeRADIUS Certificate" src="https://xo.tc/images/radius-server-certificate-10.png"></p>
<p>and scp the files across to the server.</p>
<h2>RADIUS Server</h2>
<p>Next we need to install FreeRADIUS on a server that your wireless access points can connect to, on Debian run <code>sudo apt-get install freeradius</code></p>
<p>then we need to generate a shared secret key that is used for secure communication between your wireless access points and your RADIUS server.</p>
<div class="highlight"><pre><span></span><code>dd <span class="k">if</span><span class="o">=</span>/dev/random <span class="nv">bs</span><span class="o">=</span><span class="m">1</span> <span class="nv">count</span><span class="o">=</span><span class="m">36</span> <span class="m">2</span>>/dev/null <span class="p">|</span> base64
</code></pre></div>
<p>And then we need to edit <code>/etc/freeradius/clients.conf</code></p>
<p>Add in the IP address of your wireless access point.</p>
<div class="highlight"><pre><span></span><code>client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# ipaddr = 127.0.0.1
ipaddr = 10.1.1.2
</code></pre></div>
<p>and your shared secret key<sup id="fnref:key"><a class="footnote-ref" href="#fn:key">1</a></sup></p>
<div class="highlight"><pre><span></span><code>#
# <span class="nv">The</span> <span class="nv">shared</span> <span class="nv">secret</span> <span class="nv">use</span> <span class="nv">to</span> <span class="s2">"</span><span class="s">encrypt</span><span class="s2">"</span> <span class="nv">and</span> <span class="s2">"</span><span class="s">sign</span><span class="s2">"</span> <span class="nv">packets</span> <span class="nv">between</span>
# <span class="nv">the</span> <span class="nv">NAS</span> <span class="nv">and</span> <span class="nv">FreeRADIUS</span>. <span class="nv">You</span> <span class="nv">MUST</span> <span class="nv">change</span> <span class="nv">this</span> <span class="nv">secret</span> <span class="nv">from</span> <span class="nv">the</span>
# <span class="nv">default</span>, <span class="nv">otherwise</span> <span class="nv">it</span><span class="s1">'</span><span class="s">s not a secret any more!</span>
#
# <span class="nv">The</span> <span class="nv">secret</span> <span class="nv">can</span> <span class="nv">be</span> <span class="nv">any</span> <span class="nv">string</span>, <span class="nv">up</span> <span class="nv">to</span> <span class="mi">8</span><span class="nv">k</span> <span class="nv">characters</span> <span class="nv">in</span> <span class="nv">length</span>.
#
# <span class="nv">Control</span> <span class="nv">codes</span> <span class="nv">can</span> <span class="nv">be</span> <span class="nv">entered</span> <span class="nv">vi</span> <span class="nv">octal</span> <span class="nv">encoding</span>,
# <span class="nv">e</span>.<span class="nv">g</span>. <span class="s2">"</span><span class="s">\101\102</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"</span><span class="s">AB</span><span class="s2">"</span>
# <span class="nv">Quotation</span> <span class="nv">marks</span> <span class="nv">can</span> <span class="nv">be</span> <span class="nv">entered</span> <span class="nv">by</span> <span class="nv">escaping</span> <span class="nv">them</span>,
# <span class="nv">e</span>.<span class="nv">g</span>. <span class="s2">"</span><span class="s">foo\</span><span class="s2">"</span><span class="nv">bar</span><span class="s2">"</span>
#
# <span class="nv">A</span> <span class="nv">note</span> <span class="nv">on</span> <span class="nv">security</span>: <span class="nv">The</span> <span class="nv">security</span> <span class="nv">of</span> <span class="nv">the</span> <span class="nv">RADIUS</span> <span class="nv">protocol</span>
# <span class="nv">depends</span> <span class="nv">COMPLETELY</span> <span class="nv">on</span> <span class="nv">this</span> <span class="nv">secret</span><span class="o">!</span> <span class="nv">We</span> <span class="nv">recommend</span> <span class="nv">using</span> <span class="nv">a</span>
# <span class="nv">shared</span> <span class="nv">secret</span> <span class="nv">that</span> <span class="nv">is</span> <span class="nv">composed</span> <span class="nv">of</span>:
#
# <span class="nv">upper</span> <span class="nv">case</span> <span class="nv">letters</span>
# <span class="nv">lower</span> <span class="nv">case</span> <span class="nv">letters</span>
# <span class="nv">numbers</span>
#
# <span class="nv">And</span> <span class="nv">is</span> <span class="nv">at</span> <span class="nv">LEAST</span> <span class="mi">8</span> <span class="nv">characters</span> <span class="nv">long</span>, <span class="nv">preferably</span> <span class="mi">16</span> <span class="nv">characters</span> <span class="nv">in</span>
# <span class="nv">length</span>. <span class="nv">The</span> <span class="nv">secret</span> <span class="nv">MUST</span> <span class="nv">be</span> <span class="k">random</span>, <span class="nv">and</span> <span class="nv">should</span> <span class="nv">not</span> <span class="nv">be</span> <span class="nv">words</span>,
# <span class="nv">phrase</span>, <span class="nv">or</span> <span class="nv">anything</span> <span class="k">else</span> <span class="nv">that</span> <span class="nv">is</span> <span class="nv">recognizable</span>.
#
# <span class="nv">The</span> <span class="nv">default</span> <span class="nv">secret</span> <span class="nv">below</span> <span class="nv">is</span> <span class="nv">only</span> <span class="k">for</span> <span class="nv">testing</span>, <span class="nv">and</span> <span class="nv">should</span>
# <span class="nv">not</span> <span class="nv">be</span> <span class="nv">used</span> <span class="nv">in</span> <span class="nv">any</span> <span class="nv">real</span> <span class="nv">environment</span>.
#
<span class="nv">secret</span> <span class="o">=</span> <span class="nv">DTL1ep4eFmJQOnTXvs2pFtnCkWdTYJnPWS1bGgo87UbqtD4C</span>
</code></pre></div>
<p>I've set <code>require_message_authenticator = yes</code> and I'd recommend doing so and only change it back to no if you have issues with older clients. The rest of the defaults for clients.conf are fine.</p>
<p>Next we need to edit <code>/etc/freeradius/eap.conf</code>.</p>
<div class="highlight"><pre><span></span><code>eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = <span class="cp">${</span><span class="n">max_requests</span><span class="cp">}</span>
# EAP-TLS
tls {
certdir = <span class="cp">${</span><span class="n">confdir</span><span class="cp">}</span>/certs
cadir = <span class="cp">${</span><span class="n">confdir</span><span class="cp">}</span>/certs
# private_key_password = whatever
private_key_file = /etc/ssl/private/radius.xo.tc.key
certificate_file = /etc/ssl/custom/radius.xo.tc-cert.pem
CA_file = /etc/ssl/custom/ExampleCertificationAuthority.pem
dh_file = <span class="cp">${</span><span class="n">certdir</span><span class="cp">}</span>/dh
random_file = /dev/urandom
CA_path = <span class="cp">${</span><span class="n">cadir</span><span class="cp">}</span>
.
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
}
</code></pre></div>
<p>restart FreeRADUIS <code>sudo systemctl restart freeradius.service</code></p>
<h2>Wireless Access Point</h2>
<p>Next you need to configure your access point to use the RADIUS server, this will be slightly different for each type of access point, but it generally runs along the same lines. Log into your wireless access point through it's horribly buggy uncatchable web interface that's just dripping with 0 day.</p>
<p><img alt="dlink wireless interface" src="https://xo.tc/images/wireless-access-point-login.png"></p>
<p>Find the setting for wireless security, set the encryption to WPA2 and the mode to Enterprise (or 802.11x) and add in the IP address of you RADIUS server and your secret.</p>
<p><img alt="RADIUS Settings" src="https://xo.tc/images/wireless-access-point-settings.png"></p>
<h2>The Client</h2>
<p>Again this is going to be slightly different for each type of device but I'll run through Android<sup id="fnref:Android"><a class="footnote-ref" href="#fn:Android">2</a></sup> and Debian<sup id="fnref:Debian"><a class="footnote-ref" href="#fn:Debian">3</a></sup> because that's what I have to play with but it's going to be fairly similar on most devices.</p>
<h3>Android</h3>
<p>Load the .p12 format client certificate on to the phone.</p>
<p>Now go to Settings</p>
<p><img alt="Android Settings" src="https://xo.tc/images/android-radius-01-settings.png"></p>
<p>Security</p>
<p><img alt="Android Security Settings" src="https://xo.tc/images/android-radius-02-security.png"></p>
<p>Select Install from storage and browse to the certificate.</p>
<p><img alt="Android Install Certificate" src="https://xo.tc/images/android-radius-03-install-cert.png"></p>
<p>Enter the password.</p>
<p><img alt="Android Certificate Password Prompt" src="https://xo.tc/images/android-radius-04-certificate-password.png"></p>
<p>Under usage select WiFi.</p>
<p><img alt="Android Certificate Usage Prompt" src="https://xo.tc/images/android-radius-05-certificate-usage.png"></p>
<p>Now go to connect to your WiFi setting and tap on the network you want to connect to.</p>
<p><img alt="Android WiFi Settings" src="https://xo.tc/images/android-radius-06-wifi-settings.png"></p>
<ul>
<li>Set the Security 802.11x EAP.</li>
<li>Set the EAP method to TLS.</li>
<li>Set the Certification Authority to the one CA created in the first post.</li>
<li>Set the client certificate to the one created in the first post.</li>
</ul>
<h3>Debian</h3>
<p>For Debian we are going to have to export the client certificate differently, instead of a .p12 file we will export the Client Certificate, Client Private Key and CA Certificate separately.</p>
<p>You should already have the CA Certificate, now export the client certificate.
<img alt="Export Certificate" src="https://xo.tc/images/radius-install-cert-debian-export-1.png"></p>
<p>And export the client private key.
<img alt="Export Private Key" src="https://xo.tc/images/radius-install-cert-debian-export-2.png"></p>
<p>Open network manager (Alt + F2 > Connection Preferences) and select your network to connect to.
<img alt="Network Manager" src="https://xo.tc/images/radius-install-cert-debian-1.png"></p>
<p>Open the WiFi Security tab
<img alt="Configure Network" src="https://xo.tc/images/radius-install-cert-debian-2.png"></p>
<ul>
<li>Set the Security to WPA & WPA2 Enterprise.</li>
<li>Set the Authentication to TLS.</li>
<li>Set the Identity to the email address on your client certificate.</li>
<li>Set the User certificate to you client certificate. (pem file)</li>
<li>Set the CA certificate to you Certification Authority root certificate. (pem file)</li>
<li>Set the Private key to the exported private key file. (.key file)</li>
<li>Set the Private key password and hit OK.</li>
</ul>
<div class="footnote">
<hr>
<ol>
<li id="fn:key">
<p>For those that are wondering, that's not the key I'm using at home, it's one I generated just for this tutorial. <a class="footnote-backref" href="#fnref:key" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:Android">
<p>CyanogenMod 13 / Marshmallow <a class="footnote-backref" href="#fnref:Android" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:Debian">
<p>Debian Stretch running KDE Plasma 5.6 with network manager 1.2.2 <a class="footnote-backref" href="#fnref:Debian" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Securing Apache with Client Certificates2016-06-23T07:00:00+08:002016-06-23T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-06-23:/securing-apache-with-client-certificates.html<p>This is the second in a three part series of posts on; <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">Setting up a personal Certification Authority</a>, <a href="https://xo.tc/securing-apache-with-client-certificates.html">Securing Apache with Client Certificates</a>, and <a href="https://xo.tc/setting-up-freeradius-to-secure-your-wifi.html">Setting up FreeRADIUS to secure your WiFi</a>.</p>
<p>So in the <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">previous post</a> we setup a Certification Authority and generated a Client Certificate, now let's use it …</p><p>This is the second in a three part series of posts on; <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">Setting up a personal Certification Authority</a>, <a href="https://xo.tc/securing-apache-with-client-certificates.html">Securing Apache with Client Certificates</a>, and <a href="https://xo.tc/setting-up-freeradius-to-secure-your-wifi.html">Setting up FreeRADIUS to secure your WiFi</a>.</p>
<p>So in the <a href="https://xo.tc/setting-up-a-personal-certification-authority.html">previous post</a> we setup a Certification Authority and generated a Client Certificate, now let's use it.</p>
<p>This guide assumes that you have already got Apache running with SSL, and just want to add client certificates.</p>
<p>I've got <a href="http://deluge-torrent.org/">Deluge</a> with the web UI running on my home server, I've got Apache proxying requests through to it. Deluge does come with a password prompt, but I'd like to add a little extra security for something internet facing so I've set it up to require client certificate to access it.</p>
<p>With Apache it's surprisingly easy to do, just copy the CA certificate (if you followed the example in then it would be <code>~/ExampleCertificationAuthority-cacert.pem</code>) to somewhere accessible by Apache on the server, I recommend a folder like <code>/etc/ssl/custom</code> then just add the <code>SSLCACertificateFile</code> and <code>SSLVerifyClient</code> options to your Apache config, here is an excerpt from mine.</p>
<div class="highlight"><pre><span></span><code>#This allows any client certificate issued by my Certification Authority
SSLCACertificateFile /etc/ssl/custom/ExampleCertificationAuthority-cacert.pem
################################################################################
# Deluge-web config
################################################################################
ProxyRequests off
ProxyPass /deluge http://127.0.0.1:8112/
<span class="nt"><Location</span> <span class="err">/deluge</span><span class="nt">></span>
ProxyPassReverse http://127.0.0.1:8112/deluge/
SSLVerifyClient require
SSLVerifyDepth 3
# Further restricts the list of certs to just authorised ones.
SSLRequire %{SSL_CLIENT_S_DN_Email} eq "michael@xo.tc" \
or %{SSL_CLIENT_S_DN_Email} eq "example@xo.tc"
<span class="nt"></Location></span>
</code></pre></div>
<p>and restart apache <code>sudo systemctl restart apache2.service</code></p>
<p>Next you need to load the client certificate into your browser. For Firefox go to Preferences > Advanced > Certificates > View Certificates</p>
<p><img alt="Firefox Import Certificate" src="https://xo.tc/images/firefox-import-cert-1-menu.png"></p>
<p>Then in the Your Certificates tab go to Import ...</p>
<p><img alt="Firefox Certificate Manager" src="https://xo.tc/images/firefox-import-cert-2-certificate-manager.png"></p>
<p>and select your certificate, in my case that michael@xo.tc-cert.p12</p>
<p><img alt="Firefox Import Certificate Password Prompt" src="https://xo.tc/images/firefox-import-cert-3-password.png"></p>
<p>now when you browse to the site you should get a prompt asking for you to identify yourself with a certificate.</p>
<p><img alt="Firefox Certificate Prompt" src="https://xo.tc/images/firefox-import-cert-4-certificate-prompt.png"></p>
<p>You don't need to secure the server with a certificate signed by the same CA that signs the clients. For example in mine you can see that the server certificate has been signed by <a href="https://www.startssl.com/">StartCom</a> but the client certificate is signed by Example Certification Authority.</p>Setting up a personal Certification Authority2016-06-16T07:00:00+08:002016-06-16T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-06-16:/setting-up-a-personal-certification-authority.html<p>This is the first in a three part series of posts on; <a href="setting-up-a-personal-certification-authority.html">Setting up a personal Certification Authority</a>, <a href="https://xo.tc/securing-apache-with-client-certificates.html">Securing Apache with Client Certificates</a>, and <a href="https://xo.tc/setting-up-freeradius-to-secure-your-wifi.html">Setting up FreeRADIUS to secure your WiFi</a>.</p>
<p>I've been looking for some software to run my own personal Certification Authority. I've used OpenSSL but personally I …</p><p>This is the first in a three part series of posts on; <a href="setting-up-a-personal-certification-authority.html">Setting up a personal Certification Authority</a>, <a href="https://xo.tc/securing-apache-with-client-certificates.html">Securing Apache with Client Certificates</a>, and <a href="https://xo.tc/setting-up-freeradius-to-secure-your-wifi.html">Setting up FreeRADIUS to secure your WiFi</a>.</p>
<p>I've been looking for some software to run my own personal Certification Authority. I've used OpenSSL but personally I find it very hard to work with. I feel like there are hundreds of different options, flags and switches. While OpenSSL can be used to run a CA, I need to look up the commands again and again every time I try to use it. I even find GNU Privacy Guard easier to wrangle.</p>
<p>I've used the Windows Certification Authority at work and it's not too bad, a few peculiarities but it dose it's job. But I don't want to run a Windows Server at Home. Some CAs like <a href="https://www.ejbca.org/screenshots.html">EJBCA</a> look good but I think are overkill for what I wanted so I settled on TinyCA. The <a href="http://tinyca.sm-zone.net/">official site for TinyCA</a> times out but I used the <a href="https://github.com/glennie/tinyca2">Arch Linux version</a>.</p>
<p>On Debian run <code>sudo apt-get install tinyca</code></p>
<p>When you first open TinyCA you are presented with a welcome screen to create a new Certification Authority.</p>
<p><img alt="New TinyCA" src="https://xo.tc/images/tinyca-welcome.png"></p>
<p>Most of the fields are pretty self explanatory</p>
<p><img alt="New TinyCA Filled in" src="https://xo.tc/images/tinyca-welcome-filled-in.png"></p>
<p>Then you are presented with a configuration screen, I just went with the defaults.</p>
<p><img alt="TinyCA Configuration" src="https://xo.tc/images/tinyca-CA-Configuration.png"></p>
<p>OK</p>
<p><img alt="TinyCA Created" src="https://xo.tc/images/tinyca-created.png"></p>
<p>And finaly we get to the main screen of Tiny CA</p>
<p><img alt="TinyCA Configuration" src="https://xo.tc/images/tinyca-main-screen.png"></p>
<p>To create a Client Certificate go over to the requests tab, right click and go to new Request</p>
<p><img alt="TinyCA Request" src="https://xo.tc/images/tinyca-new-request.png"></p>
<p>Fill in your details, again fairly self explanatory</p>
<p><img alt="TinyCA New Request" src="https://xo.tc/images/tinyca-client-cert.png"></p>
<p>Now right click on the request and go to Sign Request > Sign Request (Client)</p>
<p><img alt="TinyCA Sign Request" src="https://xo.tc/images/tinyca-sign-request.png"></p>
<p><img alt="TinyCA Sign Request Client" src="https://xo.tc/images/tinyca-sign-request-client.png"></p>
<p><img alt="TinyCA Signing" src="https://xo.tc/images/tinyca-signing.png"></p>
<p>Now under Certificates select the new certificate and export it</p>
<p><img alt="TinyCA Export Client" src="https://xo.tc/images/tinyca-export-client-certificate.png"></p>
<p>save it as a PKCS12 (.p12) files</p>
<p><img alt="TinyCA Export p12" src="https://xo.tc/images/tinyca-export-p12.png"></p>
<p><img alt="TinyCA Save p12" src="https://xo.tc/images/tinyca-save-p12.png"></p>
<p>And also export the CA Certificate</p>
<p><img alt="TinyCA Export Server" src="https://xo.tc/images/tinyca-export-CA-certificate.png"></p>
<p>For those looking for the Tiny CA configuration files and keys they will be in <code>~/.TinyCA/</code></p>
<p>In the next few posts we will look at what we can do with our new certificates.</p>Perfectly Good2016-06-09T07:00:00+08:002016-06-09T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-06-09:/perfectly-good.html<blockquote>
<p>"The perfect is the enemy of the good"</p>
</blockquote>
<p>A phrase that was popularized by Voltaire according to <a href="https://en.wikipedia.org/wiki/Perfect_is_the_enemy_of_good">Wikipedia</a>.</p>
<p>It's one I've always liked, I've seen products like <a href="https://en.wikipedia.org/wiki/Development_of_Duke_Nukem_Forever">Duke Nukem Forever</a> spend years in development trying to achieve perfection when they could have been released earlier and been good.</p>
<p>Linus Torvalds …</p><blockquote>
<p>"The perfect is the enemy of the good"</p>
</blockquote>
<p>A phrase that was popularized by Voltaire according to <a href="https://en.wikipedia.org/wiki/Perfect_is_the_enemy_of_good">Wikipedia</a>.</p>
<p>It's one I've always liked, I've seen products like <a href="https://en.wikipedia.org/wiki/Development_of_Duke_Nukem_Forever">Duke Nukem Forever</a> spend years in development trying to achieve perfection when they could have been released earlier and been good.</p>
<p>Linus Torvalds has been known to say</p>
<blockquote>
<p>"Release early, release often"<sup id="fnref:Linus"><a class="footnote-ref" href="#fn:Linus">1</a></sup></p>
</blockquote>
<p>I recently attended a forum where there was a presentation on <a href="https://en.wikipedia.org/wiki/Agile_software_development">Agile software development</a> and it's use in developing a <a href="https://github.com/ministryofjustice/prison-visits">booking system for prison visits</a>. One of the things they did was pushed the product out as soon as they had their <a href="https://en.wikipedia.org/wiki/Minimum_viable_product">minimum viable product</a> and then added features from there but they had a system and it was working rather than spending years in development and releasing it only once it was perfect.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:Linus">
<p>I'm not sure if he originally came up with the phrase or not but he has used it. <a class="footnote-backref" href="#fnref:Linus" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Switching from Route 53 to DNS Made Easy2016-06-02T07:00:00+08:002016-06-02T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-06-02:/switching-from-route-53-to-dns-made-easy.html<p>Recently on the <a href="https://www.sage-au.org.au/">SAGE-AU</a> mailing list there was a question about which Linux Distro to use to run a DNS server. While Debian and Red Hat both got a lot of support several people commented that for a small domain, it's not worth the effort of running your own (public …</p><p>Recently on the <a href="https://www.sage-au.org.au/">SAGE-AU</a> mailing list there was a question about which Linux Distro to use to run a DNS server. While Debian and Red Hat both got a lot of support several people commented that for a small domain, it's not worth the effort of running your own (public) DNS server. A lot of people recommended <a href="http://dnsmadeeasy.com/">DNS Made Easy</a> so I thought I'd give it a try.</p>
<p>I've only got a few domains and I was previously using <a href="https://aws.amazon.com/route53/">Amazon's Route 53</a> so I signed up for a 30 day trial, the first thing I noticed was that there was a big banner ad at the top of the management console.</p>
<p><img alt="DNS Made Easy management console" src="https://xo.tc/images/DNS-Made-Easy-management-console.png"></p>
<p>It's not a problem but it just feels a bit tacky for a paid service<sup id="fnref:paid"><a class="footnote-ref" href="#fn:paid">1</a></sup>. The UI isn't terribly slick but it seems intuitively laid out, fairly responsive and dose everything it needs to. And after all, the recommendations were because the service is solid, reliable and reasonably cheep not because it's got flashy lights and a slick UI.</p>
<p>It's going to cost me $29 per year, which is more or less what I was paying for Route 53. And it's much cheaper, easier and more reliable than running a $5 VPS with BIND9.</p>
<p>I feel like the real time statistics must be useful for something, but I'm not sure what. Maybe if you had a more active domain than me it would help show trends.</p>
<p><img alt="DNS Made Easy real time statistics" src="https://xo.tc/images/DNS-Made-Easy-real-time-statistics.png"></p>
<p>Unfortunately Amazon's Route 53 doesn't have an export function but you can a 3rd party tool like <a href="https://github.com/barnybug/cli53">cli53</a> to export a zone file and then you can import that into DNS Made Easy. DNS Made Easy does have an export function, which is a huge plus in my opinion.</p>
<p>I'll see how it goes over the next few months (and update this post if I have any issues) but over all I'm pretty happy with DNS Made Easy so far.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:paid">
<p>I'm assuming it won't disappear when I go from the 30 day trial to the paid version. <a class="footnote-backref" href="#fnref:paid" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>The XO theory of Hotel WiFi2016-05-26T07:00:00+08:002016-05-26T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-05-26:/the-xo-theory-of-hotel-wifi.html<p><img alt="The xo theory of hotel WiFi" src="https://xo.tc/images/the-xo-theory-of-hotel-wifi.png"></p>
<p>This is my theory of Hotel WiFi.</p>
<p>I've stayed in a range of accommodation from $12 per night dorms with only cold showers to $500 a night resorts with a private spa and ensuite. There have been a few exceptions but it generally holds up pretty well.</p>
<p>I'm not going …</p><p><img alt="The xo theory of hotel WiFi" src="https://xo.tc/images/the-xo-theory-of-hotel-wifi.png"></p>
<p>This is my theory of Hotel WiFi.</p>
<p>I've stayed in a range of accommodation from $12 per night dorms with only cold showers to $500 a night resorts with a private spa and ensuite. There have been a few exceptions but it generally holds up pretty well.</p>
<p>I'm not going to name names but I've been in the CBD of a capital city where there are dozens of ISPs competing to provide the cheapest connection and a section of Internet cafés in walking distance. And at the hotel the WiFi is sold in 15 minute blocks, is so slow and unreliable that pages time out, it's not encrypted and they have a proxy that breaks your SSL connections even after you have paid about 20 times the local hourly wage to connect.</p>
<p>I've also stayed in backpackers out in the sticks that have had 100Mbps fiber connections, a WiFi access point in every dorm and the passphrase pinned up on the wall.</p>
<hr>
<p>Graph made with <a href="http://xkcdgraphs.com/">xkcdgraphs</a>.</p>My dream password manager2016-05-19T07:00:00+08:002016-05-19T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-05-19:/my-dream-password-manager.html<p>A few weeks ago I wrote about <a href="https://xo.tc/keepassx-review.html">KeePassX</a> and while I'm very happy and it ticks nearly all the boxes the one feature that's missing and unfortunately would probably require a complete redesign is multi user support.</p>
<p>It would be great to be able to share passwords to some users …</p><p>A few weeks ago I wrote about <a href="https://xo.tc/keepassx-review.html">KeePassX</a> and while I'm very happy and it ticks nearly all the boxes the one feature that's missing and unfortunately would probably require a complete redesign is multi user support.</p>
<p>It would be great to be able to share passwords to some users but without sharing the whole KeePass file<sup id="fnref:sharing"><a class="footnote-ref" href="#fn:sharing">1</a></sup>.</p>
<p>I have this idea in my mind of a password manager that stores each users private key AES encrypted in the same way that GPG does when you export your private key. Then each password and any attachments can be AES encrypted, and have the AES encryption key encrypted with each users public key. Again this is the same way GPG works when you send a 3MB file to 10 people you don't end up with a 30MB file, you have a 3MB file AES encrypted, then each recipient gets a copy of the AES key encrypted with their public key.</p>
<p>The idea is that you could have a database file (SQLite for example) and it wouldn't matter if someone had a copy of the whole file, they could only access things they could decrypt. From their you could have groups, so you could share these passwords with all staff in finance, and these ones with HR, and so on.</p>
<p>You could make this use a real database with a client server model, the database side could offer server side security<sup id="fnref:server-side"><a class="footnote-ref" href="#fn:server-side">2</a></sup> and not hand out the encrypted passwords to people who were not authorised but even if it got compromised and someone got the whole database it would still be secure<sup id="fnref:secure"><a class="footnote-ref" href="#fn:secure">3</a></sup>.</p>
<p>I guess what I'd effectively be inventing is a self hosted version of <a href="https://lastpass.com/">LastPass</a> and that's really what I'd like, secure multi-user password storage that is not hosted off "In the Cloud".</p>
<p><strong>EDIT To Add:</strong> After I wrote this but before I published it I came across <a href="https://github.com/timwhite/TeamPasswordSafe">Tim White's Team Password Safe</a>. I haven't looked at it in too much detail but it looks like it will do more or less what I'd like.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:sharing">
<p>In a perfect world we wouldn't have to share credentials, there would be one account per user and each user would have the permissions to do the work they need to do. But this is not a perfect world, often devices like Wireless Access Points and Photocopiers only have one password and no concept of different accounts. And many business websites do not allow for multiple accounts to manage one organisation, so sharing passwords is unfortunately inevitable. <a class="footnote-backref" href="#fnref:sharing" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:server-side">
<p>Becasue Defense in depth is a good thing. <a class="footnote-backref" href="#fnref:server-side" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:secure">
<p>Or as secure as the weakest password for a key that has access to a given password. <a class="footnote-backref" href="#fnref:secure" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Bendigo Banks Password Requirements2016-05-12T07:00:00+08:002016-05-12T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-05-12:/bendigo-banks-password-requirements.html<p>Bendigo bank's <a href="http://www.bendigobank.com.au/public/help/e-banking-help/mobile-e-banking/security/security?result_114596_result_page=6">password requirement</a> make for an interesting read.</p>
<ul>
<li>You must have exactly eight alpha-numeric characters in your password.</li>
<li>Your password must include at least one letter and at least one number.</li>
<li>The password is not case sensitive.</li>
</ul>
<p>The bit about your password not being case sensitive means they are …</p><p>Bendigo bank's <a href="http://www.bendigobank.com.au/public/help/e-banking-help/mobile-e-banking/security/security?result_114596_result_page=6">password requirement</a> make for an interesting read.</p>
<ul>
<li>You must have exactly eight alpha-numeric characters in your password.</li>
<li>Your password must include at least one letter and at least one number.</li>
<li>The password is not case sensitive.</li>
</ul>
<p>The bit about your password not being case sensitive means they are storing it in plain text<sup id="fnref:plain-text"><a class="footnote-ref" href="#fn:plain-text">1</a></sup>. Troy Hunt also did a good write up on <a href="http://www.troyhunt.com/2015/05/do-you-really-want-bank-grade-security.html">bank's SSL settings</a> where they got a "B" grade.</p>
<p><img alt="Bendigo Bank" src="https://xo.tc/images/bank-password-reqirments/bendigo-bank.png"></p>
<div class="footnote">
<hr>
<ol>
<li id="fn:plain-text">
<p>They could also be converting to all lower or upper case before hashing or hashing the 128 possible variations of your password (2^7 because at least one character must be numeric) but I doubt it. <a class="footnote-backref" href="#fnref:plain-text" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>The Search Bubble2016-05-05T07:00:00+08:002016-05-05T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-05-05:/the-search-bubble.html<p>Duck Duck Go have a very compelling argument for why we should use them over say Google or another search engine. Apart from the privacy aspect where they claim they are not tracking us<sup id="fnref:no-tracking"><a class="footnote-ref" href="#fn:no-tracking">1</a></sup>. They talk about the "search bubble" it's easy to see, just open up a new …</p><p>Duck Duck Go have a very compelling argument for why we should use them over say Google or another search engine. Apart from the privacy aspect where they claim they are not tracking us<sup id="fnref:no-tracking"><a class="footnote-ref" href="#fn:no-tracking">1</a></sup>. They talk about the "search bubble" it's easy to see, just open up a new tab and Google search terms like "philosophy", then "karma", then "Sharing" now type in "Ubuntu" and the first auto complete for me is "Ubuntu Philosophy"</p>
<p><img alt="Ubunut Philosophy" src="https://xo.tc/images/ubuntu-philosophy.png"></p>
<p>Now try again throw in words like "Linux", "open source" and "Debian" now type in "Ubuntu" and for me the first auto complete is "Ubuntu Download"</p>
<p><img alt="Ubunut Download" src="https://xo.tc/images/ubuntu-download.png"></p>
<p>It's easy to see how this can be useful, the more Google knows about your preferences the more it can tailor your search results to be what you want. If I search "great places to eat" and I'm in Perth, Australia I don't want a recommendation for a burger joint in Birmingham, Alabama that's a little over 17,892km away from me. If Google knows you're a strict Vegan, it's not going to recommend the local Steakhouse.</p>
<p>But it's also got the potential to skew your view of the world. Imagine two tourists come to Perth, a vegan and a meet eater, they both search "great places to eat in Perth" and one gets a bunch of restaurants like <a href="http://www.therawkitchen.com.au/">The Raw Kitchen</a> while the other finds places like <a href="http://ribsandburgers.com/au/locations/william-street-wa/">ribs and burgers</a> because that's what Google's advertising thinks they can sell. Now they go home and discuss how they found Perth, one says "There are a lot of hippies in Perth, it's a really relaxed place" while the other thinks "Perth people love their meet, they must all be carnivores"</p>
<p>Now think about the Google searches with questions about religion, gender identities, racial prejudiced. Duck Duck Go's <a href="http://dontbubble.us/">sales pitch</a> is that their search results are the same, no matter who you are, where your from or what they think you might like. Sometimes their search results are not as good as Google's but that's not always a bad thing.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:no-tracking">
<p>To a large extent we simply have to take their word for it that they are not recording what people search for, but based on the available evidence I'm inclined to believe them. <a class="footnote-backref" href="#fnref:no-tracking" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Time Stamp with OpenSSL an cURL2016-04-28T07:00:00+08:002016-04-28T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-04-28:/time-stamp-with-openssl-an-curl.html<p>One of the things that came up on the <a href="https://www.sage-au.org.au/">SAGE-AU mailing lists</a> a few weeks ago was getting data time stamped. I've come across time stamping before when signing code you also get the signature time stamped that way if you sign your code in 2009 with a certificate that …</p><p>One of the things that came up on the <a href="https://www.sage-au.org.au/">SAGE-AU mailing lists</a> a few weeks ago was getting data time stamped. I've come across time stamping before when signing code you also get the signature time stamped that way if you sign your code in 2009 with a certificate that expires in 2012 your code still runs in 2016 because <em>at the time your code was signed the certificate was valid</em> even though it's expired now.</p>
<p>I was also aware that you could <a href="https://en.wikipedia.org/wiki/Trusted_timestamping">time stamp</a> arbitrary data but I didn't really know how. It turns out it's fairly straight forward with just OpenSSL and cURL. Basically you can make a SHA256 hash of the data you want to stamp, then you send that to a stamping server which will verify that it saw that hash at a given time. Thanks to Nick Savvides for these steps.</p>
<div class="highlight"><pre><span></span><code>michael@xo:~$ <span class="nb">echo</span> <span class="s2">"What's the time Mr. Wolf?"</span> > time_stamp_data.txt
michael@xo:~$ openssl ts -query -data time_stamp_data.txt -sha256 -out time_stamp_query.tsq
michael@xo:~$ curl -s -H <span class="s2">"Content-Type:application/timestamp-query"</span> --data-binary @time_stamp_query.tsq http://sha256timestamp.ws.symantec.com/sha256/timestamp > time_stamp_server_response.tsr
michael@xo:~$ openssl ts -reply -in time_stamp_server_response.tsr -out time_stamp_reply.tsr
michael@xo:~$ openssl ts -reply -in time_stamp_reply.tsr -text
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: <span class="m">1</span>
Policy OID: <span class="m">2</span>.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
<span class="m">0000</span> - <span class="m">06</span> <span class="m">07</span> 9c 9d <span class="m">85</span> <span class="m">79</span> <span class="m">48</span> da-50 <span class="m">15</span> aa <span class="m">83</span> <span class="m">51</span> 5e d9 <span class="m">00</span> .....yH.P...Q^..
<span class="m">0010</span> - bb 2d 0c d0 bb <span class="m">26</span> <span class="nb">cd</span> b0-fe c5 0a 2d <span class="m">94</span> <span class="m">47</span> b3 <span class="m">84</span> .-...<span class="p">&</span>.....-.G..
Serial number: 0x331216786C798D1FFBE256D20FDA52DC515855B7
Time stamp: Apr <span class="m">6</span> <span class="m">06</span>:57:09 <span class="m">2016</span> GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x0C93A642E3B4F1BC
TSA: DirName:/C<span class="o">=</span>US/O<span class="o">=</span>Symantec Corporation/OU<span class="o">=</span>Symantec Trust Network/CN<span class="o">=</span>Symantec SHA256 TimeStamping Signer - G1
Extensions:
michael@xo:~$ sha256sum time_stamp_data.txt
06079c9d857948da5015aa83515ed900bb2d0cd0bb26cdb0fec50a2d9447b384 time_stamp_data.txt
michael@xo:~$
</code></pre></div>KeePassX Review2016-04-21T07:00:00+08:002016-04-21T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-04-21:/keepassx-review.html<p>I've been using <a href="https://www.keepassx.org/">KeePassX</a> for about two years now. I've been putting all my passwords in there and I've got just over 180 entries now.</p>
<p>The argument for using a password manager is pretty easy to make, there is simply no way I could remember 180 different passwords. And especially …</p><p>I've been using <a href="https://www.keepassx.org/">KeePassX</a> for about two years now. I've been putting all my passwords in there and I've got just over 180 entries now.</p>
<p>The argument for using a password manager is pretty easy to make, there is simply no way I could remember 180 different passwords. And especially not at the level of complexity I'd like to have in each password. But why KeePassX specifically, and not some other password manager like <a href="https://pwsafe.org/">PasswordSafe</a>, <a href="https://1password.com/">1 Password</a>, <a href="https://lastpass.com/">LastPass</a>, or just a physical <a href="http://www.peterpauper.com/product_info.php?products_id=5459">password book</a><sup id="fnref:password-book"><a class="footnote-ref" href="#fn:password-book">1</a></sup>?</p>
<h1>Advantages</h1>
<ul>
<li><strong>Open Source</strong> - You can open it up and see what makes it tick.</li>
<li><strong>Cross Platform</strong> - For me Windows and Linux support is important, there is a Mac OS X version too.</li>
<li><strong>Multiple implementations</strong> - This is a great "feature" for two reasons, one is that there are <a href="http://www.keepassdroid.com/">Android</a>, and <a href="https://itunes.apple.com/au/app/minikeepass-secure-password/id451661808?mt=8">iOS</a> implementations. But it also means that several other people have implemented the database format, and have looked through it in enough detail to get it working. If there was any weird backdoor or something that's not documented it's more likely to have been spotted if other people are implementing the spec. You can take a .kdbx file from one KeePass implementation and open it in another.</li>
<li><strong>Encrypted</strong> - Not just Encrypted, but encrypted with a key you control. This might seem obvious, but it's much better than the built in password manager in <a href="http://raidersec.blogspot.com.au/2013/06/how-browsers-store-your-passwords-and.html">most browsers</a></li>
<li><strong>Password Generation</strong> - We are not very good at thinking up passwords, my usual trick is <code>dd if=/dev/random bs=1 count=18 2>/dev/null | base64</code> but sometimes you have to have a specific number of characters or special characters. You can set the parameters you need an KeePassX will generate a password that fits.</li>
<li><strong>Can store files</strong> - You can store "Attachments" with your passwords so you can backup things like private keys.</li>
</ul>
<h1>Neutral</h1>
<ul>
<li><strong>No built in sync option</strong> - This is great because it works offline and a lot of people feel uncomfortable with their passwords being stored by a company owned by <a href="https://blog.lastpass.com/2015/10/lastpass-joins-logmein.html/">LogMeIn</a>. But syncing the file across many devices is really helpfull. Personal I use <a href="https://owncloud.org/">ownCloud</a> to sync my .kdbx file.</li>
</ul>
<h1>Drawbacks</h1>
<ul>
<li><strong>No multi-user support</strong> - You can't share passwords with other users across the organisation without sharing the whole file.</li>
</ul>
<p>I've been using a <a href="https://www.yubico.com/">YubiKey</a> with a long random password to encrypt my KeePassX file so I don't even know what the password to my password manager is.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:password-book">
<p>People may laugh, but Bruce Schneier has <a href="https://www.schneier.com/blog/archives/2005/06/write_down_your.html">written</a> about writing down passwords before and I tend to agree with him. There is an over emphasis on not writing down passwords. While sticking it on a post-it note on your screen might be a dumb idea, getting a password book and keeping it safe in your backpack, hand bag or a locked draw is not a bad idea. We are good at physical security, we have been building safes for almost <a href="https://en.wikipedia.org/wiki/Safe#History">two hundred years</a> now. It's a decentralised offline system, sure one or two people might lose a password book but there will never be a breach which exposes millions of people. <a class="footnote-backref" href="#fnref:password-book" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Setting file permissions2016-04-14T07:00:00+08:002016-04-14T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-04-14:/setting-file-permissions.html<p>This is a fairly short post but it's another one of those <a href="https://xo.tc/tag/note-to-selfhtml.html">Note to self</a> things, I've done this 100 times but I can never remember and need to keep looking up again.</p>
<p>Often I want to go through a directory and set all subdirectories to be readable and all …</p><p>This is a fairly short post but it's another one of those <a href="https://xo.tc/tag/note-to-selfhtml.html">Note to self</a> things, I've done this 100 times but I can never remember and need to keep looking up again.</p>
<p>Often I want to go through a directory and set all subdirectories to be readable and all the files to be read only by everyone except the owner who should have write permissions as well.<sup id="fnref:read-only"><a class="footnote-ref" href="#fn:read-only">1</a></sup></p>
<p>I've got a little command I use, taken from a <a href="http://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress">thread on stack overflow</a> that was about WordPress but it's very applicable elsewhere.</p>
<div class="highlight"><pre><span></span><code>chown www-data:www-data -R * <span class="c1"># Let apache be owner</span>
find . -type d -exec chmod <span class="m">755</span> <span class="o">{}</span> <span class="se">\;</span> <span class="c1"># Change directory permissions rwxr-xr-x</span>
find . -type f -exec chmod <span class="m">644</span> <span class="o">{}</span> <span class="se">\;</span> <span class="c1"># Change file permissions rw-r--r--</span>
</code></pre></div>
<div class="footnote">
<hr>
<ol>
<li id="fn:read-only">
<p>without the execute bit set of files so <code>chmod -R 755</code> doesn't work but if you do <code>chmod -R 644</code> you can't open the directories. <a class="footnote-backref" href="#fnref:read-only" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Testing SSL With Nmap2016-04-07T07:00:00+08:002016-04-07T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-04-07:/testing-ssl-with-nmap.html<p>SSL Labs have a <a href="https://www.ssllabs.com/ssltest/">great tool</a> for testing and scoring the strength of your ciphers and SSL implementation. I've seen people go to great lengths to get an "A+ score". While it can be a little bit check box security and can end up with <a href="https://en.wikipedia.org/wiki/Cargo_cult_programming">cargo cult</a> configurations in Apache …</p><p>SSL Labs have a <a href="https://www.ssllabs.com/ssltest/">great tool</a> for testing and scoring the strength of your ciphers and SSL implementation. I've seen people go to great lengths to get an "A+ score". While it can be a little bit check box security and can end up with <a href="https://en.wikipedia.org/wiki/Cargo_cult_programming">cargo cult</a> configurations in Apache. Overall I don't think <a href="https://xo.tc/gamification-of-security.html">Gamification of security</a> is a bad thing.</p>
<p>While the SSL Labs check is great, it wont check things on ports other than 443. If you want to get a list of ciphers supported Nmap is a good <a href="http://superuser.com/a/763908/246589">alternitive</a>.</p>
<div class="highlight"><pre><span></span><code><span class="n">nmap</span> <span class="o">--</span><span class="n">script</span> <span class="n">ssl</span><span class="o">-</span><span class="k">enum</span><span class="o">-</span><span class="n">ciphers</span> <span class="o">-</span><span class="n">p</span> <span class="mi">465</span> <span class="n">mail</span><span class="o">.</span><span class="n">xo</span><span class="o">.</span><span class="n">tc</span>
<span class="n">Starting</span> <span class="n">Nmap</span> <span class="mf">6.47</span> <span class="p">(</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">nmap</span><span class="o">.</span><span class="n">org</span> <span class="p">)</span> <span class="n">at</span> <span class="mi">2016</span><span class="o">-</span><span class="mi">03</span><span class="o">-</span><span class="mi">29</span> <span class="mi">15</span><span class="p">:</span><span class="mi">44</span> <span class="n">AWST</span>
<span class="n">Nmap</span> <span class="n">scan</span> <span class="n">report</span> <span class="k">for</span> <span class="n">mail</span><span class="o">.</span><span class="n">xo</span><span class="o">.</span><span class="n">tc</span> <span class="p">(</span><span class="mf">103.25</span><span class="o">.</span><span class="mf">56.23</span><span class="p">)</span>
<span class="n">Host</span> <span class="k">is</span> <span class="n">up</span> <span class="p">(</span><span class="mf">0.034</span><span class="n">s</span> <span class="n">latency</span><span class="p">)</span><span class="o">.</span>
<span class="n">rDNS</span> <span class="n">record</span> <span class="k">for</span> <span class="mf">103.25</span><span class="o">.</span><span class="mf">56.23</span><span class="p">:</span> <span class="n">xo</span><span class="o">.</span><span class="n">tc</span>
<span class="n">PORT</span> <span class="n">STATE</span> <span class="n">SERVICE</span>
<span class="mi">465</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">smtps</span>
<span class="o">|</span> <span class="n">ssl</span><span class="o">-</span><span class="k">enum</span><span class="o">-</span><span class="n">ciphers</span><span class="p">:</span>
<span class="o">|</span> <span class="n">TLSv1</span><span class="o">.</span><span class="mi">0</span><span class="p">:</span>
<span class="o">|</span> <span class="n">ciphers</span><span class="p">:</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_RC4_128_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_RC4_128_MD5</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_RC4_128_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">compressors</span><span class="p">:</span>
<span class="o">|</span> <span class="n">NULL</span>
<span class="o">|</span> <span class="n">TLSv1</span><span class="o">.</span><span class="mi">1</span><span class="p">:</span>
<span class="o">|</span> <span class="n">ciphers</span><span class="p">:</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_RC4_128_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_RC4_128_MD5</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_RC4_128_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">compressors</span><span class="p">:</span>
<span class="o">|</span> <span class="n">NULL</span>
<span class="o">|</span> <span class="n">TLSv1</span><span class="o">.</span><span class="mi">2</span><span class="p">:</span>
<span class="o">|</span> <span class="n">ciphers</span><span class="p">:</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_RC4_128_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_3DES_EDE_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_128_GCM_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_AES_256_GCM_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_RC4_128_MD5</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_RSA_WITH_RC4_128_SHA</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">compressors</span><span class="p">:</span>
<span class="o">|</span> <span class="n">NULL</span>
<span class="o">|</span><span class="n">_</span> <span class="n">least</span> <span class="n">strength</span><span class="p">:</span> <span class="n">strong</span>
<span class="n">Nmap</span> <span class="n">done</span><span class="p">:</span> <span class="mi">1</span> <span class="n">IP</span> <span class="n">address</span> <span class="p">(</span><span class="mi">1</span> <span class="n">host</span> <span class="n">up</span><span class="p">)</span> <span class="n">scanned</span> <span class="ow">in</span> <span class="mf">19.92</span> <span class="n">seconds</span>
</code></pre></div>
<p>I've got lot's of ciphers enabled for SMTPs and I talked about that in my post <a href="https://xo.tc/is-bad-crypto-better-than-no-crypto.html">Is bad crypto better than no crypt?</a>. But for other services where I control both the client and the server I try to only enable the ciphers I will use for example my IMAPs configuration only has two ciphers available.</p>
<div class="highlight"><pre><span></span><code><span class="n">nmap</span> <span class="o">--</span><span class="n">script</span> <span class="n">ssl</span><span class="o">-</span><span class="k">enum</span><span class="o">-</span><span class="n">ciphers</span> <span class="o">-</span><span class="n">p</span> <span class="mi">993</span> <span class="n">mail</span><span class="o">.</span><span class="n">xo</span><span class="o">.</span><span class="n">tc</span>
<span class="n">Starting</span> <span class="n">Nmap</span> <span class="mf">6.47</span> <span class="p">(</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">nmap</span><span class="o">.</span><span class="n">org</span> <span class="p">)</span> <span class="n">at</span> <span class="mi">2016</span><span class="o">-</span><span class="mi">03</span><span class="o">-</span><span class="mi">29</span> <span class="mi">15</span><span class="p">:</span><span class="mi">46</span> <span class="n">AWST</span>
<span class="n">Nmap</span> <span class="n">scan</span> <span class="n">report</span> <span class="k">for</span> <span class="n">mail</span><span class="o">.</span><span class="n">xo</span><span class="o">.</span><span class="n">tc</span> <span class="p">(</span><span class="mf">103.25</span><span class="o">.</span><span class="mf">56.23</span><span class="p">)</span>
<span class="n">Host</span> <span class="k">is</span> <span class="n">up</span> <span class="p">(</span><span class="mf">0.034</span><span class="n">s</span> <span class="n">latency</span><span class="p">)</span><span class="o">.</span>
<span class="n">rDNS</span> <span class="n">record</span> <span class="k">for</span> <span class="mf">103.25</span><span class="o">.</span><span class="mf">56.23</span><span class="p">:</span> <span class="n">xo</span><span class="o">.</span><span class="n">tc</span>
<span class="n">PORT</span> <span class="n">STATE</span> <span class="n">SERVICE</span>
<span class="mi">993</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">imaps</span>
<span class="o">|</span> <span class="n">ssl</span><span class="o">-</span><span class="k">enum</span><span class="o">-</span><span class="n">ciphers</span><span class="p">:</span>
<span class="o">|</span> <span class="n">TLSv1</span><span class="o">.</span><span class="mi">2</span><span class="p">:</span>
<span class="o">|</span> <span class="n">ciphers</span><span class="p">:</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</span> <span class="o">-</span> <span class="n">strong</span>
<span class="o">|</span> <span class="n">compressors</span><span class="p">:</span>
<span class="o">|</span> <span class="n">NULL</span>
<span class="o">|</span><span class="n">_</span> <span class="n">least</span> <span class="n">strength</span><span class="p">:</span> <span class="n">strong</span>
<span class="n">Nmap</span> <span class="n">done</span><span class="p">:</span> <span class="mi">1</span> <span class="n">IP</span> <span class="n">address</span> <span class="p">(</span><span class="mi">1</span> <span class="n">host</span> <span class="n">up</span><span class="p">)</span> <span class="n">scanned</span> <span class="ow">in</span> <span class="mf">0.93</span> <span class="n">seconds</span>
</code></pre></div>Sending emails with telnet and OpenSSL2016-03-31T07:00:00+08:002016-03-31T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-03-31:/sending-emails-with-telnet-and-openssl.html<p>You can send an email using telnet it's very useful for debugging. It's something I've done several times before but because it's not something I do regularly I always forget the exact syntax so I've written this as a <a href="https://xo.tc/tag/note-to-selfhtml.html">Note to self</a> to remember the commands.</p>
<p>Finding the mail server …</p><p>You can send an email using telnet it's very useful for debugging. It's something I've done several times before but because it's not something I do regularly I always forget the exact syntax so I've written this as a <a href="https://xo.tc/tag/note-to-selfhtml.html">Note to self</a> to remember the commands.</p>
<p>Finding the mail server to connect to</p>
<div class="highlight"><pre><span></span><code>nslookup
> <span class="nb">set</span> <span class="nv">q</span><span class="o">=</span>mx
> gmail.com
Server: <span class="m">8</span>.8.8.8
Address: <span class="m">8</span>.8.8.8#53
Non-authoritative answer:
gmail.com mail <span class="nv">exchanger</span> <span class="o">=</span> <span class="m">5</span> gmail-smtp-in.l.google.com.
gmail.com mail <span class="nv">exchanger</span> <span class="o">=</span> <span class="m">40</span> alt4.gmail-smtp-in.l.google.com.
gmail.com mail <span class="nv">exchanger</span> <span class="o">=</span> <span class="m">30</span> alt3.gmail-smtp-in.l.google.com.
gmail.com mail <span class="nv">exchanger</span> <span class="o">=</span> <span class="m">10</span> alt1.gmail-smtp-in.l.google.com.
gmail.com mail <span class="nv">exchanger</span> <span class="o">=</span> <span class="m">20</span> alt2.gmail-smtp-in.l.google.com.
</code></pre></div>
<p>Sending email with Telnet</p>
<div class="highlight"><pre><span></span><code>$ telnet gmail-smtp-in.l.google.com <span class="m">25</span>
HELO my-reverse-dns-address.example.com
MAIL FROM: Michael@my-reverse-dns-address.example.com
RCPT TO: abuse@gmail.com
DATA
Subject: Test Email
Lorem ipsum dolor sit amet, consectetur adipiscing elit.
molestie, fringilla turpis id, ultrices tortor,
ac consectetur massa imperdiet ac. Fusce ac porta orci.
.
</code></pre></div>
<p>if auth is required we can use base64 to work out the username and password or if base64 is not available (e.g. on windows) we can do it in python</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">base64</span>
<span class="n">username</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="s2">"michael@example.com"</span><span class="p">)</span>
<span class="n">password</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="s2">"open-sesame"</span><span class="p">)</span>
</code></pre></div>
<p>Once we have the username and password we can use them</p>
<div class="highlight"><pre><span></span><code>$ telnet smtp.example.com <span class="m">25</span>
EHLO my-reverse-dns-address.example.com
AUTH LOGIN
<span class="nv">bWljaGFlbEBleGFtcGxlLmNvbQ</span><span class="o">==</span>
<span class="nv">b3Blbi1zZXNhbWU</span><span class="o">=</span>
MAIL FROM: my-reverse-dns-address.example.com
RCPT TO: michael@example.com
DATA
Subject: Test Email - Authenticated as michael@example.com
Lorem ipsum dolor sit amet, consectetur adipiscing elit.
molestie, fringilla turpis id, ultrices tortor,
ac consectetur massa imperdiet ac. Fusce ac porta orci.
.
</code></pre></div>
<p>We can use OpenSSL to send emails using the STARTSSL command (i.e. start a standard SMTP connection then upgrade to TLS)</p>
<div class="highlight"><pre><span></span><code>$ openssl s_client -starttls smtp -crlf -connect smtp.example.com:25
EHLO my-reverse-dns-address.example.com
AUTH LOGIN
<span class="nv">bWljaGFlbEBleGFtcGxlLmNvbQ</span><span class="o">==</span>
<span class="nv">b3Blbi1zZXNhbWU</span><span class="o">=</span>
MAIL FROM: my-reverse-dns-address.example.com
RCPT TO: Michael@example.com
DATA
Subject: Test Email - Authenticated as michael@example.com
Lorem ipsum dolor sit amet, consectetur adipiscing elit.
molestie, fringilla turpis id, ultrices tortor,
ac consectetur massa imperdiet ac. Fusce ac porta orci.
.
</code></pre></div>
<p>Or We can use OpenSSL to send emails using SMTPS (i.e. start a TLS connection then do SMTP over it)</p>
<div class="highlight"><pre><span></span><code>$ openssl s_client -connect smtps.example.com:465
EHLO my-reverse-dns-address.example.com
AUTH LOGIN
<span class="nv">bWljaGFlbEBleGFtcGxlLmNvbQ</span><span class="o">==</span>
<span class="nv">b3Blbi1zZXNhbWU</span><span class="o">=</span>
MAIL FROM: my-reverse-dns-address.example.com
RCPT TO: Michael@example.com
DATA
Subject: Test Email - Authenticated as michael@example.com
Lorem ipsum dolor sit amet, consectetur adipiscing elit.
molestie, fringilla turpis id, ultrices tortor,
ac consectetur massa imperdiet ac. Fusce ac porta orci.
.
</code></pre></div>
<p>Personally I prefer the idea of sending mail over SMTPS (port 465). I know it's not <a href="http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt">officially</a> in the IANA spec, but it just makes a lot more sense to me to start an encrypted connection and then send email over it, than to start an unencrypted connection and then upgrade it to an encrypted one.</p>Malware Captcha2016-03-24T07:00:00+08:002016-03-24T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-03-24:/malware-captcha.html<p>I've had a couple of people mention to me recently that they have been hit by CryptoLocker<sup id="fnref:cryptolocker"><a class="footnote-ref" href="#fn:cryptolocker">1</a></sup> that it was delivered by a link to a page with a <a href="https://en.wikipedia.org/wiki/CAPTCHA">CAPTCHA</a> and only after solving the CAPTCHA were the users directed to a link to a .exe file.</p>
<p>There were …</p><p>I've had a couple of people mention to me recently that they have been hit by CryptoLocker<sup id="fnref:cryptolocker"><a class="footnote-ref" href="#fn:cryptolocker">1</a></sup> that it was delivered by a link to a page with a <a href="https://en.wikipedia.org/wiki/CAPTCHA">CAPTCHA</a> and only after solving the CAPTCHA were the users directed to a link to a .exe file.</p>
<p>There were a couple of explanations given, one was that it made the user fell more convinced that the file was legitimate. I'm not entirely sure about that but I guess it seems plausible, people might think "It's hardly going to be malware if it's this hard to get it".</p>
<p>The other explanation that I think might be more on the money is that many gateway anti-virus and anti-spam products will follow links in emails and will block and flag any link to an exe file. Also there are tools out there like <a href="https://www.virustotal.com/en/url/0348f062836cde21679b4f9b6881bec3b18575f326219e42d9f2ae0ac35fbc64/analysis/">virustotal</a> that will analyse urls and flag them as suspect.</p>
<p>I enjoyed the irony though that even people running botnets need to use CAPTCHAs to stop their malware from being flagged by other (good) bots.</p>
<p>I guess it doesn't matter if your running a network for <a href="http://www.doctorswithoutborders.org">charity hospitals</a> or running a network to distribute malware, we all face the same kinds of challenges.</p>
<p><a href="https://www.commitstrip.com/en/2016/02/17/all-this-effort-all-this-skill-for-this/"><img alt="All this effort, all this skill, for this..." src="https://xo.tc/images/Strip-Taf-pour-Anticvirus-english650-final.jpg"></a>
If you haven't seen <a href="http://www.commitstrip.com/en/?">commitstrip</a> before I'm sorry for killing your productivity for the next few hours.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:cryptolocker">
<p>They said "CryptoLocker" but it may not have been that specific strain I suspect it was just some generic ransomware. <a class="footnote-backref" href="#fnref:cryptolocker" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>The need for new CVEs2016-03-17T07:00:00+08:002016-03-17T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-03-17:/the-need-for-new-cves.html<p>LWN has an interesting article <a href="https://lwn.net/Articles/679315/">CVE woes and alternatives</a> about how hard it is to get a CVE number for a vulnerability. The general thrust is that some researchers have found it too hard and so simply don't bother. </p>
<p>There were some suggestions about a new system that makes it …</p><p>LWN has an interesting article <a href="https://lwn.net/Articles/679315/">CVE woes and alternatives</a> about how hard it is to get a CVE number for a vulnerability. The general thrust is that some researchers have found it too hard and so simply don't bother. </p>
<p>There were some suggestions about a new system that makes it easier to get a number and track vulnerabilities. </p>
<p>My first through was that something like a wiki would be a great idea, sure it would need curating and someone to clean up the spam and the trolls just like Wikipedia does but it could be managable. This would allow researchers to easily get a number and start adding information without it needing to go through a long and bureaucratic<sup id="fnref:bureaucratic"><a class="footnote-ref" href="#fn:bureaucratic">1</a></sup> vetting process.</p>
<p>But then I though it would need something just a little more than a wiki, some level of automation to pull information from other sources, not only <a href="https://cve.mitre.org/">mitre CVEs</a> but also things like <a href="https://www.debian.org/security/">Debian DSAs</a> or <a href="https://technet.microsoft.com/en-us/security/bulletin/dn602597.aspx">Microsoft Security Bulletin</a>. </p>
<p>Some sort of database to link between a vulnerability, it's related patches and keep all the diffrent tracking systems in sync. It would have to be largely automated but also alow the community to edit and update it like Wikipedia does, otherwise keeping it up to date would become a herculean task. I believe that mitre has a huge backlog and I think it's only going to get worse. A system that is open to the community can scale in a ways a controlled system never could.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:bureaucratic">
<p>I don't want to sound too negitive here, the work that mitre does is great and ensures a high quality of information, but I've experanced it myself when I look up a CVE and just see "Reserved" because it hasn't been vetted yet. <a class="footnote-backref" href="#fnref:bureaucratic" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>WaFreeNet2016-03-10T07:00:00+08:002016-03-10T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-03-10:/wafreenet.html<p>This months <a href="http://plug.org.au/">Perth Linux Users Group</a> talk was from <a href="http://www.wafreenet.org/">WaFreeNet</a> a networks stretching across most of the Perth metropolitan <a href="http://www.wafreenet.org/Network">area</a>. A bunch of wireless enthusiasts have connected point to point links to make a large network separate from their standard Internet connection.</p>
<p>It got me thinking apart from how much …</p><p>This months <a href="http://plug.org.au/">Perth Linux Users Group</a> talk was from <a href="http://www.wafreenet.org/">WaFreeNet</a> a networks stretching across most of the Perth metropolitan <a href="http://www.wafreenet.org/Network">area</a>. A bunch of wireless enthusiasts have connected point to point links to make a large network separate from their standard Internet connection.</p>
<p>It got me thinking apart from how much fun it looks just for the shear joy of setting up a network it's also great to have other networks like this that don't rely on the Internet. I remember reading about when the Egyptian government cut the national Internet connection that a lot of people started using peer to peer messaging over Bluetooth and mesh WiFi. It's nice to know that if there are Internet problems in Perth whether the intentional or accidental, there are alternative networks out there.</p>Google Maps Vs OpenStreetMap2016-03-03T07:00:00+08:002016-03-03T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-03-03:/google-maps-vs-openstreetmap.html<p>I've been using <a href="https://www.openstreetmap.org/">OpenStreetMap</a><sup id="fnref:using-osm"><a class="footnote-ref" href="#fn:using-osm">1</a></sup> for about two years now. I <a href="https://xo.tc/good-bye-google.html">migrated</a> from Google Maps, mostly for philosophical reasons to do with data collection and licensing.</p>
<p>I think the biggest difference between the two can be summed up as:</p>
<ul>
<li><strong>OpenStreetMap has much better coverage of obscure places</strong> (particularly things like …</li></ul><p>I've been using <a href="https://www.openstreetmap.org/">OpenStreetMap</a><sup id="fnref:using-osm"><a class="footnote-ref" href="#fn:using-osm">1</a></sup> for about two years now. I <a href="https://xo.tc/good-bye-google.html">migrated</a> from Google Maps, mostly for philosophical reasons to do with data collection and licensing.</p>
<p>I think the biggest difference between the two can be summed up as:</p>
<ul>
<li><strong>OpenStreetMap has much better coverage of obscure places</strong> (particularly things like hiking trails) if you are going somewhere off the beaten track where the "roads" are just a gravel path or a mud track then use the OpenStreetMap.</li>
<li><strong>Google Maps has much better search</strong>, if you are trying to find a place (particularly things like a local business) use Google Maps.</li>
</ul>
<p>An excellent example of this is a place I stayed at for a few days on holiday when I was younger called <a href="http://www.forrestairport.com.au/">Forrest Air Port</a>. When I stayed there it had a population of 3.<sup id="fnref:population"><a class="footnote-ref" href="#fn:population">2</a></sup></p>
<p>Google Maps finds it easily with a simple search. All it shows is the air strip and a single road.
<img alt="Google Maps - Forrest Air Port" src="https://xo.tc/images/forrest-airport-GoogleMaps.png"></p>
<p>OpenStreetMap finds it too, but it's a bit harder to find and it's not the first result. Once you do find it through it's got a lot more detail, it's got all the four wheel drive tracks, the walking tracks, it's even got every single house in the town mapped out (all 6 of them), the airplane hangar, the Australia Post Community Postal Agents (post box) in the correct place.
<img alt="OpenStreetMap - Forrest Air Port" src="https://xo.tc/images/forrest-airport-OpenStreetMaps.png"></p>
<p>Another place I've stayed is <a href="http://birdlife.org.au/visit-us/observatories/eyre">Eyre Bird Observatory</a>. Google maps can <a href="https://www.google.com.au/maps/place/Eyre+Bird+Observatory">find it</a><sup id="fnref:finds"><a class="footnote-ref" href="#fn:finds">3</a></sup>, infact all I typed was "Eyre bi" and it had the correct suggestion. But Google Maps it puts the pin on the nearest town which is about 30 km away<sup id="fnref:30km-away"><a class="footnote-ref" href="#fn:30km-away">4</a></sup> although if you change to "earth" view you can find <a href="https://www.google.com.au/maps/@-32.2464924,126.3024297,340m/data=!3m1!1e3">the house</a>. While <a href="http://www.openstreetmap.org/node/1604654071#map=19/-32.24650/126.30147">OpenStreetMap</a> has the marker in the right location and has the four wheel drive track marked out too.</p>
<p>OpenStreetMap coverage in metro areas is pretty good, but I think Google's ease of use and search has the edge.</p>
<p>So if your going hiking somewhere there is no phone coverage and you want to navigate by GPS using offline maps OpenStreetMap is the hands down winner.</p>
<p>If your in the metro area and you want to find the nearest burger joint or get navigation that includes public transport or current traffic conditions Google Maps is for you.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:using-osm">
<p>I feel that I should point out that while I try to make most of my posts security related using OpenStreetMap over Google Maps is not about security. It's a philosophical stance on licensing, freedom, and openness. I guess you could look at it from the security view of not giving your persoanl informaiton to a large coporation for more about my views on google see my post <a href="https://xo.tc/good-bye-google.html">Good bye Google</a> <a class="footnote-backref" href="#fnref:using-osm" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:population">
<p>Although there were four of us, so I suppose if you count tourists it had a population of 7. <a class="footnote-backref" href="#fnref:population" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:finds">
<p>EDIT: 2016-09-05 some time after I posted this Google Maps was updated with the right location. While this example may no longer be correct, I still find that OpenStreetMap has better coverage of obscure country towns with populations you can count without taking off your shoes. <a class="footnote-backref" href="#fnref:finds" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:30km-away">
<p>About 50 km by car which takes about an hour and a half because it's a sand track up an escarpment. <a class="footnote-backref" href="#fnref:30km-away" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>Linux mint website hacked2016-02-25T07:00:00+08:002016-02-25T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-02-25:/linux-mint-website-hacked.html<p>Recently the Linux Mint website and forums were <a href="http://lwn.net/Articles/676613/">compromised</a> and the download link for the Linux Mint ISO file was replaced with a link to a backdoored ISO file.</p>
<p>While the fact that they were compromised doesn't concern me that much, it happens to just about everyone in the long …</p><p>Recently the Linux Mint website and forums were <a href="http://lwn.net/Articles/676613/">compromised</a> and the download link for the Linux Mint ISO file was replaced with a link to a backdoored ISO file.</p>
<p>While the fact that they were compromised doesn't concern me that much, it happens to just about everyone in the long run. The two big questions I'm much more concerned about are "How did it happen" and "How did the Linux Mint team react?".</p>
<h2>How did it happen?</h2>
<p>We still don't know for sure, there has been lot's of speculation, there was an official post saying it was from their WordPress install but no real detail and some conflicting information later. The most plausible theories are that the server hosting the website was also hosting a number of different sites like a Wordpress site that was out of date and a some phpBB forums. It has been suggested that someone used a known vulnerability in either WordPress or phpBB to compromise the server and from there were able to modify the main website.</p>
<h2>How did Linux Mint react?</h2>
<p>In my opinion they reacted very poorly. I think the correct procedure would have been to shutdown the server, determan the root cause of the breach, reinstall from backups and make sure the vulnerability was patched before bringing the server back up. But from the <a href="http://blog.linuxmint.com/?p=2994#comment-124881">comments</a> we can see that the link was changed back to the backdoored ISO after the announcement showing the attackers were still in controll of the server.</p>
<blockquote>
<p>Thanks for reporting this, this is a second attack so it means we?re still vulnerable. I?m shutting the server down right now.</p>
</blockquote>
<p>Other organisations like <a href="https://wiki.debian.org/DebianWiki/SecurityIncident2012">Debian</a> and <a href="http://lists.linux.org.au/pipermail/linux-aus/2015-April/022049.html">Linux Australia</a> hav both suffered breaches in the past but they have done a much more thorough job of reacting to it and reporting it.</p>My confusing feelings about net neutrality2016-02-18T07:00:00+08:002016-02-18T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-02-18:/my-confusing-feelings-about-net-neutrality.html<p>Being an <a href="https://www.efa.org.au/">EFA</a> member it probably wouldn't surprise anyone that my views are heavily in favor of net neutrality.</p>
<p>EFA recently published an article <a href="https://www.efa.org.au/2016/02/15/digital-india-facebook/">Why Digital India took on Facebook and won</a> and it got me thinking about some of the practices of Australian ISPs. Some I think are reasonable …</p><p>Being an <a href="https://www.efa.org.au/">EFA</a> member it probably wouldn't surprise anyone that my views are heavily in favor of net neutrality.</p>
<p>EFA recently published an article <a href="https://www.efa.org.au/2016/02/15/digital-india-facebook/">Why Digital India took on Facebook and won</a> and it got me thinking about some of the practices of Australian ISPs. Some I think are reasonable and others I think are not, but I'm not sure where to draw the line between the two.</p>
<p>A specific example is my ISP Internode has a has local <a href="http://mirror.internode.on.net/pub/">FTP mirror</a> that they have been running for years<sup id="fnref:years"><a class="footnote-ref" href="#fn:years">1</a></sup> with a bunch of Linux repositories on it. So updates for Arch, CentOS, Debian, Fedora, Ubuntu, etc.. are in their "<a href="http://www.internode.on.net/residential/entertainment/unmetered_content/">unmetered</a>" zone. They even mirror the <a href="http://mirror.internode.on.net/pub/linux.conf.au/">linux.conf.au videos</a> so you can download all the videos of talks and they don't count against your quota.</p>
<p>With Internode's "Easy Naked ADSL2+" plan<sup id="fnref:plan"><a class="footnote-ref" href="#fn:plan">2</a></sup> if you download more than your quota you get <a href="http://www.internode.on.net/residential/broadband/product_features/power_business_packs/#Over_Quota_Shaping">shaped</a> down from 24Mbps<sup id="fnref:24Mbps"><a class="footnote-ref" href="#fn:24Mbps">3</a></sup> to 128Kbps but you can still get internode's unmetered content at full speed.</p>
<p>The thing is that Internode also offer Netflix and Xbox Live Game Downloads as unmetered content too. So someone who has downloaded over their quota can't watch YouTube or Vimeo at much better than dial up speeds but they can watch Netflix in HD with no issues. While I feel that the FTP server is reasonable I feel uncomfortable about Netflix and Xbox Live, but I have real trouble differentiating the two.</p>
<p>The most obvious difference between the two is that content on the FTP mirror is free and not distributed for profit but even that gets a bit shaky when things like <a href="http://mirror.internode.on.net/pub/idstuff/">Doom 3 and Quake 4</a> install files are on there. Even if everything on the mirror was free<sup id="fnref:free"><a class="footnote-ref" href="#fn:free">4</a></sup> would that be enough? Is it fair that I get my Debian updates unmetered at full speed while my friends have to download their Windows and OSX updates at 128Kbps? I feel it's still anti-competitive in a way.</p>
<p>I think the reason I don't mind the FTP mirror as much is it was setup years ago and I don't think there is any way Internode are getting a kickback from the Linux community infact I suspect it's costing Internode money.<sup id="fnref:costing-money"><a class="footnote-ref" href="#fn:costing-money">5</a></sup></p>
<div class="footnote">
<hr>
<ol>
<li id="fn:years">
<p>The oldest example I can find from a quick search was from archive.org going back to <a href="https://web.archive.org/web/20021010082256/http://mirror.internode.on.net/">2002</a> but I'm pretty sure the mirror has been around since the mid 1990s <a class="footnote-backref" href="#fnref:years" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:plan">
<p>That's the plan I'm on <a class="footnote-backref" href="#fnref:plan" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:24Mbps">
<p>At least 24Mbps was the theoretical maximum, I get about 8Mbps. <a class="footnote-backref" href="#fnref:24Mbps" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:free">
<p>When I say free here I mean libre, free as in speech not necessarily free as in beer. So that could include Red Hat updates on the mirror. <a class="footnote-backref" href="#fnref:free" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
<li id="fn:costing-money">
<p>You could argue that it's saving them bandwidth because users are downloading packages locally rather than over the internet but most distros use http to download packages and then GPG to verify packages rather than https so Internode could just transparently proxy most traffic and I doubt that running an FTP mirror is a big enough draw card that it gets them many extra customers. <a class="footnote-backref" href="#fnref:costing-money" title="Jump back to footnote 5 in the text">↩</a></p>
</li>
</ol>
</div>What is a TPM2016-02-11T07:00:00+08:002016-02-11T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-02-11:/what-is-a-tpm.html<p>There is a great <a href="https://www.youtube.com/watch?v=rML5DfYUh_k">video</a> that's come out of linux.conf.au 2016 where <a href="https://mjg59.dreamwidth.org/">Matthew Garrett</a> talks about Trusted Platform Modules (TPMs) what they are, what they can do and how you can use them to secure your computer.</p>
<p>Before watching the video I was vaguely aware that there are …</p><p>There is a great <a href="https://www.youtube.com/watch?v=rML5DfYUh_k">video</a> that's come out of linux.conf.au 2016 where <a href="https://mjg59.dreamwidth.org/">Matthew Garrett</a> talks about Trusted Platform Modules (TPMs) what they are, what they can do and how you can use them to secure your computer.</p>
<p>Before watching the video I was vaguely aware that there are these things called TPMs and they can be used for a bunch of fancy crypto stuff including being able to sign things with keys that are not stored<sup id="fnref:stored"><a class="footnote-ref" href="#fn:stored">1</a></sup> on the computer either on the disk or in memory so that even if the system is compromised the key can't be recovered. I also knew it could do some fancy stuff with the boot process so that you could verify that your system's boot had not been tampered with. This could be used to stop an "Evil Maid attack" where someone replaces your kernel with a back doored one, as I mentioned in my post on <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html">Setting Up Full Disk Encryption on Debian Jessie</a>.</p>
<p>After watching Matthew excellent talk I feel that I have a much deeper understanding of what a TPM is and what it can do. One of the nice things you can do with a TPM is get it to display a TOTP code like the ones used in most 2 factor authentication solutions that will only be accurate if you boot hasn't been tampered so you can be sure that the prompt asking for your passphrase to decrypt your disks is not backdoored.<sup id="fnref:TOTP"><a class="footnote-ref" href="#fn:TOTP">2</a></sup></p>
<p>So now while I'm still confused and uncertain about TPMs, it's on a much higher plane.<sup id="fnref:Terry-Pratchett"><a class="footnote-ref" href="#fn:Terry-Pratchett">3</a></sup></p>
<div class="footnote">
<hr>
<ol>
<li id="fn:stored">
<p>Technically the key might be stored on the disk, but that key is encrypted with a key that <em>is</em> in the TPM so as Matthew <a href="https://www.youtube.com/watch?v=rML5DfYUh_k&feature=youtu.be&t=16m10s">says</a> "It's like having some ones private GPG key that's been passphrase encrypted, you can't actually use it without knowing the decryption key." <a class="footnote-backref" href="#fnref:stored" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:TOTP">
<p>I'll admit I'm not sure how practical this is, it seems like too much work and even paranoid users will give it up at some time. But it's still cool that you can do it. <a class="footnote-backref" href="#fnref:TOTP" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:Terry-Pratchett">
<p>Taken from <a href="http://www.goodreads.com/quotes/14635-cutangle-while-i-m-still-confused-and-uncertain-it-s-on-a">Terry Pratchett's, Equal Rites</a> <a class="footnote-backref" href="#fnref:Terry-Pratchett" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Running rm -rf / permanently bricks a laptop2016-02-04T07:00:00+08:002016-02-04T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-02-04:/running-rm-rf-permanently-bricks-a-laptop.html<p>There was an email posted to the <a href="https://plug.org.au">PLUG</a> mailing lists recently about a user that had run <code>rm -rf /</code> and <a href="https://bbs.archlinux.org/viewtopic.php?id=207549">bricked their laptop</a>. It was a fascinating story and I lost a good hour or so reading through that thread, the <a href="https://github.com/systemd/systemd/issues/2402">GitHub issues</a> and responses etc...</p>
<p>The exact specifics might …</p><p>There was an email posted to the <a href="https://plug.org.au">PLUG</a> mailing lists recently about a user that had run <code>rm -rf /</code> and <a href="https://bbs.archlinux.org/viewtopic.php?id=207549">bricked their laptop</a>. It was a fascinating story and I lost a good hour or so reading through that thread, the <a href="https://github.com/systemd/systemd/issues/2402">GitHub issues</a> and responses etc...</p>
<p>The exact specifics might be different but it's an issue I've seen crop up a few times before: Should we (that is the Linux community and more specifically systemd) change our software to work around manufacturers crappy firmware (by making /sys/firmware/efi/efivars/ read only by default) or should we stick to our guns and demand that manufactures ship hardware that doesn't bork when we do something that is allowed by the (UEFI) spec.</p>
<p>I personally lean towards saying this is a manufacturer fault not a Linux issue and that motherboards that can't post after their EFI settings have been wiped should be RMAed.</p>
<p>But both sides have merit and it's not really fair to say to users that have just bricked their device "sure, it's a known issue and we could have done something to prevent that. But we decided it's not our problem to fix, go speak to the manufacturer."</p>
<p>It looks like in this case the user got their laptop replaced under warranty without issues but we can't count on that happening every time. I expect there would be plenty of devices out there that have broken EFI implementations and are out of warranty<sup id="fnref:warranty"><a class="footnote-ref" href="#fn:warranty">1</a></sup> and they won't be able to get their devices replaced.</p>
<p>Our software shouldn't be able to break users hardware. I like to encourage users to explore their system and learn for themselves and I often say things like "Don't worry, try things out, we have backups you can't really break anything" to timid users, I want that to remain true.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:warranty">
<p>or vendors who would argue that doing anything advanced link installing Linux voids the warranty, but that's a different <strike>rant</strike> debate. <a class="footnote-backref" href="#fnref:warranty" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>AviD's Rule of Usability2016-01-28T07:00:00+08:002016-01-28T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-01-28:/avids-rule-of-usability.html<p>There is a <a href="http://security.stackexchange.com/a/6116/33">quote</a> that's been floating around Security Stack Exchange for a while that I like, it's called <strong>AviD's Rule of Usability</strong>:</p>
<blockquote>
<p>"Security at the expense of usability, comes at the expense of security."</p>
</blockquote>
<p>I think it's brilliant. I've see it several times where security has made things too …</p><p>There is a <a href="http://security.stackexchange.com/a/6116/33">quote</a> that's been floating around Security Stack Exchange for a while that I like, it's called <strong>AviD's Rule of Usability</strong>:</p>
<blockquote>
<p>"Security at the expense of usability, comes at the expense of security."</p>
</blockquote>
<p>I think it's brilliant. I've see it several times where security has made things too hard and so people have just found workarounds that nullify all the security controls.</p>Gamification of Security2016-01-21T07:00:00+08:002016-01-21T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-01-21:/gamification-of-security.html<p>I've been thinking a lot recently about gamification of security. Giving people scores for how well they do security. Things like getting an "A+" on the <a href="https://www.ssllabs.com/ssltest/analyze.html?d=xo.tc">SSL Labs</a> or on <a href="https://securityheaders.io/?q=https%3A%2F%2Fxo.tc">securityheaders.io</a> test.</p>
<p>Working through Google or Facebook's "Security Checklists" of things like password length and enabling 2 factor authentication …</p><p>I've been thinking a lot recently about gamification of security. Giving people scores for how well they do security. Things like getting an "A+" on the <a href="https://www.ssllabs.com/ssltest/analyze.html?d=xo.tc">SSL Labs</a> or on <a href="https://securityheaders.io/?q=https%3A%2F%2Fxo.tc">securityheaders.io</a> test.</p>
<p>Working through Google or Facebook's "Security Checklists" of things like password length and enabling 2 factor authentication where you get a big green tick and a better score for each one you setup. Or password meters that go up with the <a href="https://xo.tc/password-strength.html">strength</a> of your password.<sup id="fnref:strength"><a class="footnote-ref" href="#fn:strength">1</a></sup></p>
<p>I think many people (my self included) will try to get a high score, and by doing so improve their security. One of the slightly creepy books that seems to be popular in silicon valley at the moment is <a href="http://www.booktopia.com.au/hooked-nir-eyal/prod9780241184837.html?source=pla&gclid=CKmCwMnVuMoCFYUGvAodeioCTg">Hooked: How to Build Habit-Forming Products</a><sup id="fnref:hooked"><a class="footnote-ref" href="#fn:hooked">2</a></sup> while that book is trying to suck more money out of people playing games like candy crush it does make me think:</p>
<p>What psychological techniques can we use to make people actually <em>want</em> security, rather than feeling like they are having it forced on them.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:strength">
<p>Sure sometimes those things are just a check box and they don't stop things like password reuse. But as long as they don't restrict which passwords you can use (e.g. must have a special character) if they encourage most user to make a better password then they are worth having. <a class="footnote-backref" href="#fnref:strength" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:hooked">
<p>I heard about it from Aral Barkan's talk talk <a href="https://www.youtube.com/watch?v=ctVOEeowc9U">Decentralise Everything</a>, it's not related to gamification but it's worth watching. <a class="footnote-backref" href="#fnref:hooked" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Why I can't patch the Juniper Backdoor2016-01-14T07:00:00+08:002016-01-14T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-01-14:/why-i-cant-patch-the-juniper-backdoor.html<p>It's Thursday the 14th of January 2016, and it's now 25 days after I first heard about the <a href="https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST">Juniper backdoor</a> (I heard about it on Monday the 21st of December 2015) and I still haven't patched it yet. We don't use the VPN and have never had SSH open to …</p><p>It's Thursday the 14th of January 2016, and it's now 25 days after I first heard about the <a href="https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST">Juniper backdoor</a> (I heard about it on Monday the 21st of December 2015) and I still haven't patched it yet. We don't use the VPN and have never had SSH open to the internet so this isn't a world ending bug for us but it's still something pretty major that I want fixed.</p>
<p>When I heard about the bug I went off to the Juniper website to download the update but to my surprise I was greeted with this:</p>
<p><img alt="Login Box" src="https://xo.tc/images/juniper-login-screen.png"></p>
<p>I needed an account to download software updates. I didn't have one<sup id="fnref:account"><a class="footnote-ref" href="#fn:account">1</a></sup>, so I went to sign up.</p>
<p>In the sign up form I needed my device serial number, so I went off and looked up the serial number. Then when I submitted it, I got a message saying my account needed to be validated and that I would get an email soon. I'm not sure if validation is a manual process or the flood of new sign ups from people wanting to patch their kit just overwhelmed their servers<sup id="fnref:overwhelmed"><a class="footnote-ref" href="#fn:overwhelmed">2</a></sup> but 24 hours later I still had no email. So I tried to sign up again but it said there was already a pending application for my email address<sup id="fnref:email-address"><a class="footnote-ref" href="#fn:email-address">3</a></sup> so validation was clearly still ongoing.</p>
<p>Finally at 20:37 on Thursday (just over four days later) the email with my security key to activate my account was sent, it said I needed to activate my account by the 3rd of January or the key would expire. The only problem is our office had closed for the end of year holidays at 17:00 on the 24th (we closed 4 hours before the validation email was sent) and our office wouldn't be open again until the 4th of January (the day after the activation key expired).<sup id="fnref:office-closure"><a class="footnote-ref" href="#fn:office-closure">4</a></sup></p>
<p>On Monday the 4th when I got to work and found the email with my (now expired) security key. So I went to try again to create an account, only to be given this message:</p>
<p><img alt="Juniper Maintenance Screen" src="https://xo.tc/images/juniper-maintenance-screen.png">
<a href="http://www.juniper.net/support/maintenance-entitlement.html">currently here but it may be removed</a></p>
<p>Juniper were doing maintenance and wouldn't be allowing sign ups for another week and a half.</p>
<p>So here we are Thursday morning, and I still haven't created an account or downloaded a patch yet but hopefully today I will be able sign up. And who knows if I get validated a bit more quickly I might even be able to secure my kit some time this week. I'm not sure what Juniper thinks it's achieving by not letting unregistered users download security updates<sup id="fnref:security-updates"><a class="footnote-ref" href="#fn:security-updates">5</a></sup> but when I am looking at buying firewalls in future I will be looking for a brand that doesn't lock it's software updates away. Most likely something open source like <a href="https://www.pfsense.org/">PFSense</a>, <a href="http://www.mikrotik.com/">MikroTik</a> or maybe something that can run <a href="http://vyos.net/wiki/Main_Page">VyOS</a>.</p>
<p>Maybe I've got my priorities the wrong way around but I'm far more annoyed by the process I've had to go through to fix the backdoor than I was about the fact that there was a backdoor in the first place.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:account">
<p>I probably should have had an account before this all happened to download previous firmware images to fix other CVEs that didn't get as much press coverage, but I'm sure I'm not the only one in this boat. <a class="footnote-backref" href="#fnref:account" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:overwhelmed">
<p>Or maybe it's automated but always this slow, I don't know. <a class="footnote-backref" href="#fnref:overwhelmed" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:email-address">
<p>I could have used a different address but I'm not convinced that would have helped. <a class="footnote-backref" href="#fnref:email-address" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:office-closure">
<p>Our office being closed is in no way Juniper's fault, but taking four days to create an account to download security fixes seems unreasonably long. <a class="footnote-backref" href="#fnref:office-closure" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
<li id="fn:security-updates">
<p>Sure it's more than just a security patch, it's the whole firmware but it should still be freely downloadable. <a class="footnote-backref" href="#fnref:security-updates" title="Jump back to footnote 5 in the text">↩</a></p>
</li>
</ol>
</div>TS Block2016-01-07T07:00:00+08:002016-01-07T07:00:00+08:00Michael Van Delfttag:xo.tc,2016-01-07:/ts-block.html<p><a href="https://github.com/EvanAnderson/ts_block">TS Block</a> is one of my favorite little scripts for Windows Terminal Servers it's a bit like Fail2ban for Windows.</p>
<p>It's a fairly simple script with a few configurable options and sane defaults that does pretty much what it says on the tin. After a set number of failed logins …</p><p><a href="https://github.com/EvanAnderson/ts_block">TS Block</a> is one of my favorite little scripts for Windows Terminal Servers it's a bit like Fail2ban for Windows.</p>
<p>It's a fairly simple script with a few configurable options and sane defaults that does pretty much what it says on the tin. After a set number of failed logins in a given time to a terminal server it will add a rule to the windows fire wall to block all traffic from that address.</p>
<p><img alt="Windows firewall after TS Block has been running for a few days" src="https://xo.tc/images/ts_block.png">
Windows firewall after TS Block has been running for a few days.</p>
<p>It when it blocks an IP address it doesn't just block logins but blocks all traffic from that address. If you have a windows server with port 3389 open to the internet for any reason, for example maybe you have just started an Amazon EC2 with it's default settings and haven't just white listed your IP address. I'd recommend adding TS Block to your server.</p>
<p>Personally I go with a fairly restrictive approach of 5 failed logins in 10 minutes gets a 24 hour ban. It's enough to give legitimate users a couple of guesses if they have forgotten / mistyped their password but at a maximum of 1 guess every 2 minutes it blocks brute forcing accounts. It also instantly blocks any address that attempts to login as Administrator<sup id="fnref:Administrator"><a class="footnote-ref" href="#fn:Administrator">1</a></sup>.</p>
<p>Even though I've been around for a while and should be used to this sort of thing, I still find it staggering how many brute forcing bots are out there I get 20 to 30 unique IPs banned every day<sup id="fnref:Traffic"><a class="footnote-ref" href="#fn:Traffic">2</a></sup>.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:Administrator">
<p>Which I disable anyway and create a new Administrative account with a different name. <a class="footnote-backref" href="#fnref:Administrator" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:Traffic">
<p>While that might not sound like a lot it's more than the amount of legitimate web traffic this site gets each day. I'd be pretty happy with 20 or 30 unique views each day. <a class="footnote-backref" href="#fnref:Traffic" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>HTTP Secuirty Headers2015-12-31T07:00:00+08:002015-12-31T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-12-31:/http-secuirty-headers.html<p>This week I decided to play around with <a href="https://securityheaders.io/">securityheaders.io</a> and see if I could get an A+ rating.</p>
<p><img alt="Security Headers" src="https://xo.tc/images/security-headers.png"></p>
<p>I already had <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning">Public Key Pinning</a> and Strict Transport Security so those two were easy.</p>
<p>Then I added Xss-Protection, but I wasn't sure what exactly it did. After a bit of …</p><p>This week I decided to play around with <a href="https://securityheaders.io/">securityheaders.io</a> and see if I could get an A+ rating.</p>
<p><img alt="Security Headers" src="https://xo.tc/images/security-headers.png"></p>
<p>I already had <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning">Public Key Pinning</a> and Strict Transport Security so those two were easy.</p>
<p>Then I added Xss-Protection, but I wasn't sure what exactly it did. After a bit of searching it looks like Internet Explorer (and possibly now chrome) have some system setup to detect reflected xss attacks. I'm guessing it's probably by looking through the URL for suspicious script tags or something but there doesn't seem to be any good documentation on what exactly it dose. From what I could find it was on by default in IE now anyway so to me it seemed a bit redundant but I wanted the A+ and it didn't look like it would hurt.</p>
<p>Next I added the X-Frame-Options I thought about this for a while, I don't really care if my site is rendered in an iframe. It's not like I've got anything worth click jacking and all the content is creative commons but then I also can't think of any good reason to allow my site to be in an iframe so in the end I decided to go with <code>SAMEORIGIN</code>.</p>
<p>Then I added the X-Content-Type-Options again for the type of site I've got which doesn't allow users to post content it seems a bit redundant but again I don't think it will hurt.</p>
<p>Then lastly I got to the Content-Security-Policy this was the hardest one I think for most sites that can implement it the most effective at combating xss. I've implemented what I think should be mostly right or at least I get no errors when I browse to it with Chrome or Internet Explorer but Firefox gives me an error about the piwik analytics script. The script is in line and I don't want to include <code>unsafe-inline</code> so I've done a SHA-256 hash of the script. I think I've run into <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1026520">Bug 1026520 - Erroneous CSP reports for hash-source</a>.</p>
<p>Below is a copy of part of my Apache config.</p>
<div class="highlight"><pre><span></span><code><span class="nt">Header</span> <span class="nt">always</span> <span class="nt">set</span> <span class="nt">Public-Key-Pins</span> <span class="err">\</span>
<span class="s2">"pin-sha256=\"VOKQJ5j5cC1zM1weHSwo/iF5RGMaSVBllI1VIFKvBzU=\"; \</span>
<span class="s2"> pin-sha256=\"pk/Xlc/DPy+/Y6kxFTlwaFu4LyIq6c5rOLbNZXk/c/w=\"; \</span>
<span class="s2"> max-age=5184000; \</span>
<span class="s2"> includeSubDomains"</span>
<span class="nt">Header</span> <span class="nt">always</span> <span class="nt">add</span> <span class="nt">Strict-Transport-Security</span> <span class="s2">"max-age=31536000"</span>
<span class="nt">Header</span> <span class="nt">always</span> <span class="nt">append</span> <span class="nt">X-Frame-Options</span> <span class="nt">SAMEORIGIN</span>
<span class="nt">Header</span> <span class="nt">always</span> <span class="nt">append</span> <span class="nt">X-Content-Type-Options</span> <span class="nt">nosniff</span>
<span class="err">#</span> <span class="nt">This</span> <span class="nt">seems</span> <span class="nt">a</span> <span class="nt">bit</span> <span class="nt">vague</span> <span class="nt">and</span> <span class="nt">redundant</span><span class="o">,</span> <span class="nt">but</span> <span class="nt">I</span> <span class="nt">guess</span> <span class="nt">it</span> <span class="nt">can</span><span class="s1">'t hurt to add it. https://stackoverflow.com/questions/9090577</span>
<span class="s1">Header always set X-Xss-Protection "1; mode=block"</span>
<span class="s1">Header always append Content-Security-Policy: \</span>
<span class="s1"> "default-src '</span><span class="nt">self</span><span class="s1">' https://www.mightyburger.com.au https://fonts.gstatic.com; \</span>
<span class="s1"> img-src '</span><span class="nt">self</span><span class="s1">' https://www.mightyburger.com.au https://i.creativecommons.org https://licensebuttons.net; \</span>
<span class="s1"> script-src '</span><span class="nt">self</span><span class="s1">' https://www.mightyburger.com.au '</span><span class="nt">sha256-w0f3</span><span class="o">/</span><span class="nt">LWV2JV80K3yqctPR1QAktxEMLuWC5eY1PF9228</span><span class="o">=</span><span class="s1">'; \</span>
<span class="s1"> style-src '</span><span class="nt">self</span><span class="err">'</span> <span class="nt">https</span><span class="o">://</span><span class="nt">fonts</span><span class="p">.</span><span class="nc">googleapis</span><span class="p">.</span><span class="nc">com</span><span class="o">;</span> <span class="err">\</span>
<span class="nt">report-uri</span> <span class="nt">https</span><span class="o">://</span><span class="nt">report-uri</span><span class="p">.</span><span class="nc">io</span><span class="o">/</span><span class="nt">report</span><span class="o">/</span><span class="nt">a91e682bc2af2ea5e6a5e2cb539fc805</span><span class="err">"</span>
</code></pre></div>Using CyanogenMod on the Samsung Galaxy S42015-12-24T07:00:00+08:002015-12-24T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-12-24:/using-cyanogenmod-on-the-samsung-galaxy-s4.html<p>I've been using <a href="http://www.cyanogenmod.org/">CyanogenMod</a> pretty much since day one after I got my Samsung Galaxy S4 which was my first Android phone. After the best phone I ever owned, a <a href="https://en.wikipedia.org/wiki/Nokia_N900">Nokia N900</a> got to the point where battery life was about 8 hours I felt that I needed to upgrade …</p><p>I've been using <a href="http://www.cyanogenmod.org/">CyanogenMod</a> pretty much since day one after I got my Samsung Galaxy S4 which was my first Android phone. After the best phone I ever owned, a <a href="https://en.wikipedia.org/wiki/Nokia_N900">Nokia N900</a> got to the point where battery life was about 8 hours I felt that I needed to upgrade<sup id="fnref:upgrade"><a class="footnote-ref" href="#fn:upgrade">1</a></sup> to a newer phone. The iPhone has a much better security track record and if someone was looking for the most secure phone I'd (begrudgingly) have to recommend an iPhone. However the walled garden approach Apple take with their products and the very closed nature of the device just doesn't sit well with me.</p>
<p>So that left me with Android, but I wanted to get a device with out all the bloated irremovable crapware that vendors like Telstra<sup id="fnref:telstra"><a class="footnote-ref" href="#fn:telstra">2</a></sup> or amazing keyboard <a href="https://www.nowsecure.com/keyboard-vulnerability/">features</a> that Samsung loaded on their phone. I just wanted something pretty close to stock Android, but something that got regular security updates which seems to have been the Achilles heel of Android.</p>
<p>In the end I decided to go with CyanogenMod but in order to load that onto my phone I needed to add a new recovery image to my phone called <a href="https://www.clockworkmod.com/">ClockworkMod</a>. To do that you need to boot into 'Download Mode' by holding the volume down button while booting and then flash the image onto the phone. Unfortunately all the tutorials I could find recommended using Samsung Odin, but Odin has never been officially released by Samsung so the only copies I could find were dodgey looking 'leaked' copies from torrents and other warez sites.</p>
<p>Out of interest I downloaded one copy of Odin and uploaded it to <a href="https://www.virustotal.com/">virustotal</a> where about 8 or 9 AV tools marked it as a Trojan. After a bit of searching I found <a href="http://glassechidna.com.au/heimdall/">Heimdall</a> a nice open source cross platform alternative to Odin that works quite well.</p>
<p>Armed with Heimdall I was able to flash ClockworkMod onto my phone and then download the CyanogenMod zip file and boot into 'recovery mode' by holding volume up while booting and then I could wipe my phone's stock firmware and install CyanogenMod.</p>
<p>Since then I haven't really looked back, the stock Android experience is pretty good. In fact I'd argue it's better than the Samsung TouchWiz UI (but still not as good as the old Nokia N900 was). I get updates regularly and I've only got a couple of apps installed that I don't want or use<sup id="fnref:apps"><a class="footnote-ref" href="#fn:apps">3</a></sup> which is much better than the 20 or so junk apps it came with.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:upgrade">
<p>Or downgrade, depending on how you look at it. <a class="footnote-backref" href="#fnref:upgrade" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:telstra">
<p>Australia's largest Telco, with about a 50% market share when I bought my phone. <a class="footnote-backref" href="#fnref:telstra" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:apps">
<p>There is one called 'AudioFX' that seems to be a music equalizer and a 'Themes' app but I've only got one theme installed. <a class="footnote-backref" href="#fnref:apps" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>What exactly is encrypted with Android full disk encryption?2015-12-17T07:00:00+08:002015-12-17T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-12-17:/what-exactly-is-encrypted-with-android-full-disk-encryption.html<p>I've been running <a href="http://www.cyanogenmod.org/">CyanogenMod</a> on my Samsung Galaxy S4 since pretty much the day I bought it. As far as I can tell it's pretty close to the stock Android Open Source Project (<a href="https://source.android.com/">AOSP</a>) with a minimum of bloat and a few Google things (like the Play Store) removed<sup id="fnref:play-store"><a class="footnote-ref" href="#fn:play-store">1 …</a></sup></p><p>I've been running <a href="http://www.cyanogenmod.org/">CyanogenMod</a> on my Samsung Galaxy S4 since pretty much the day I bought it. As far as I can tell it's pretty close to the stock Android Open Source Project (<a href="https://source.android.com/">AOSP</a>) with a minimum of bloat and a few Google things (like the Play Store) removed<sup id="fnref:play-store"><a class="footnote-ref" href="#fn:play-store">1</a></sup>. You can reinstall the <a href="https://wiki.cyanogenmod.org/w/Google_Apps">Google Apps</a> but many, my self included just stick with <a href="https://f-droid.org/">F-Droid</a><sup id="fnref:F-Droid"><a class="footnote-ref" href="#fn:F-Droid">2</a></sup>.</p>
<p>Mostly I had just been running the stable release but a few months ago I decided I'd like to upgrade to Android 5 and was going to move across to <a href="http://download.cyanogenmod.org/?device=jfltexx&type=nightly">nightly</a>. As this was a big step I though I'd take the opportunity to completely format my phone and start again rather than upgrade and I would also enable full disk encryption.</p>
<p>Now with any "Full Disk Encryption" solution that you want to boot you still need a small unencrypted partition to boot from in order to get to the point where you can display a password prompt decrypt the rest of the disk. For example when setting up <a href="https://gitlab.com/cryptsetup/cryptsetup">LUKS</a> you need to have <code>/boot/</code> unencrypted and you can encrypt the rest of the partitions. <code>/boot/</code> doesn't need to be on the same physical disk as the one that's getting encrypted, in fact you could burn it to a CD so it's read only and boot from that. Then your hard disk really would be <em>fully</em> encrypted but you still need <code>/boot/</code> unencrypted somewhere.</p>
<p>Obviously some things have to be stored unencrypted but I was expecting that I would need to decrypt my disk somehow before I could upgrade to newer nightly builds of CyanogenMod. I assumed only a small part of the OS would be unencrypted but I found that if I booted into recovery mode I could reflash my device without decrypting it. By sideloading a zip file <code>adb sideload cm-12.1-20151010-NIGHTLY-jfltexx.zip</code> so it looks like the whole OS (that is the contence of the zip file) is unencrypted but presumably all the apps and user data are encrypted, which leads me to the headline <em>What exactly is (and is not) encrypted with Android full disk encryption?</em></p>
<p>I tried searching for some write ups but couldn't find anything so I decided to break out <a href="http://developer.android.com/tools/help/adb.html">ADB</a> and actually read the <a href="https://source.android.com/devices/tech/security/encryption/">documentation</a> and investigate.</p>
<p>From my digging it looks like everything in <code>/data</code> is encrypted and everything else is unencrypted. Apps and all their associated data seems to be in <code>/data/data</code> user data (for example my downloads, photos I've taken, music, etc...) are stored in <code>/data/media/</code>.</p>
<p>I think that's a fairly reasonable decision to just encrypt <code>/data</code> because the android OS itself is not really what you want to protect.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:play-store">
<p>I think they did include it for a while but were <a href="http://www.cyanogenmod.org/blog/cyanogenmod-installer-application-removed-from-play-store">asked</a> by Google to remove it but I haven't really followed all the details. <a class="footnote-backref" href="#fnref:play-store" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:F-Droid">
<p>As this is a security blog I feel I should point out that I use F-Droid for philosophical open source reasons, not for security reasons. Moxie Marlinspike made a <a href="https://web.archive.org/web/20150907025746/http://support.whispersystems.org/customer/portal/articles/1476204-why-do-i-need-google-play-installed-to-use-textsecure-on-android-">good post</a> where he points out that enabling "unknown sources" or "allow 3rd party APKs" is one of the most harmful things the average android user can do the the security of their system. <a class="footnote-backref" href="#fnref:F-Droid" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Ruxcon 11 (2015)2015-12-10T07:00:00+08:002015-12-10T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-12-10:/ruxcon-11-2015.html<p>I was lucky enough to be able to go across to Melbourne for <a href="https://ruxcon.org.au/">Ruxcon</a> in 2015 and it was an absolute blast. I'd recommend it to any budding security professional that wants to meet people in the industry and see some great talks. There is a good mix of activities …</p><p>I was lucky enough to be able to go across to Melbourne for <a href="https://ruxcon.org.au/">Ruxcon</a> in 2015 and it was an absolute blast. I'd recommend it to any budding security professional that wants to meet people in the industry and see some great talks. There is a good mix of activities and talks, I think you could spend your whole time at Ruxcon just doing one or the other.</p>
<p>There was a hardware hacking village where people were breaking out the soldering irons and working on circuit boards, I didn't really get a chance to visit that but it sounded pretty ammazing.</p>
<p>They also had ruxlocks where people where learning how to pick locks and handcuffs. I was really exited to try it out and they had a practice lock. It was a padlock where the base was made of clear plastic so you could see the pins as you moved them with the lock pick. I managed to unlock that fairly quickly (about 3 or 4 minutes which is not too bad for a first try). Then I moved on to a real padlock and after a while I managed to open that as well.</p>
<p><img alt="Padlock" src="https://xo.tc/images/picking-padlock.png">
<img alt="Padlock Open" src="https://xo.tc/images/picking-padlock-open.png"></p>
<p>Then I had a go with the handcuffs, that went pretty well. I started with just one cuff on and the other hand free and got out of it surprisingly easily. So then I tried to do it with both wrists and just after I'd locked my self up, the pizza arrived. Not wanting to miss out I ate pizza with handcuffs on then got back to picking my way to freedom.</p>
<p><img alt="Handcuffs" src="https://xo.tc/images/picking-handcuffs.png"></p>
<p>I also spent a bit of time the capture the flag competition where I feel that I did reasonably well. I got all the easy flags at any rate.</p>
<p>And while all that was going on there were also two streams of talks running as well. I tried to see as many talks as I could but didn't see as many as I'd have liked. One of the stand out talks for me was <a href="https://ruxcon.org.au/speakers/#Vanessa%20Teague">Vanessa Teague's talk</a> on the iVote system. It was a both fascinating and horrifying view into how the New South Wales online voting system was designed.</p>
<p>If you have never been to Ruxcon before but are interested in security I would recommend checking it out, it's well worth the money.</p>Using Piwik Analytics2015-12-03T07:00:00+08:002015-12-03T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-12-03:/using-piwik-analytics.html<p>I once heard Google Analytics described as crack cocaine for marketing folks and webmasters. Now I've never tried crack cocaine, but I have tried Google Analytics and I can see why once you have had it, it's pretty hard to let go.</p>
<p>It gives you a bunch of information, most …</p><p>I once heard Google Analytics described as crack cocaine for marketing folks and webmasters. Now I've never tried crack cocaine, but I have tried Google Analytics and I can see why once you have had it, it's pretty hard to let go.</p>
<p>It gives you a bunch of information, most of which is useless for most webmasters<sup id="fnref:useless"><a class="footnote-ref" href="#fn:useless">1</a></sup>. It could be argued the knowing that 20% of your visitors are on mobile, or that x% are using firefox or y% are still using IE8 is useful. In means you know what to focus on supporting and which browser to design for<sup id="fnref:browsers"><a class="footnote-ref" href="#fn:browsers">2</a></sup>. Knowing what content is most popular can be useful and knowing where your traffic is coming from might help you work out where to focus your advertising.</p>
<p>All those things are kind of useful, but the thing that I think gets most people hooked is the self validation and being able to track your popularity. If you have ever made a post on facebook and then obsessively refreshed the page to see how many likes you get you know what I'm talking about. It gives you all sorts of stats about how often people visit your site, how long they stay there for, what content they look at and where they are coming from.</p>
<p>Piwik gives you all of that, it's growing very fast and very easy to setup and install. The first time I installed Piwik I went over to their <a href="http://piwik.org/docs/">docs page</a> and had a self hosted analytics tool setup installed and running with in about an hour and I'm sure with practice it wouldn't be too hard to get a server setup in under 15 minutes.</p>
<p>There are some good arguments for using Piwik over Google Analytics too, for one thing you can then choose to respect <a href="http://donottrack.us/">do not track</a> requests. But the other reason is that your sending people's personal data to a third party. If you have Google Analytics on your site, it's not just you who knows when people are visiting but Google knows who is visiting your site. They know in more detail than you do, they know the IP address and details of people who visited your site rather than just the information in aggregate which you get.</p>
<p>They can then use this massive amount of data about who visits which sites, when and for how long to do targeted advertising. I don't like the idea that Google are tracking people not just on their own sites, but on sites they don't control which use Google Analytics.</p>
<p>I think it's reasionable to argue that people using Google services like Mail and Search are aware that Google are tracking them and are choosing to give up their data and privacy to Google in exchange for a free<sup id="fnref:free"><a class="footnote-ref" href="#fn:free">3</a></sup> service. But with Analytics it's not the same trade off, it's the webmaster that's getting the benefit of the service, but it's the users of the site not the webmaster who are giving up their privacy and they get nothing in return.</p>
<p>So if you wan't don't want to share your users browsing habits with a third party but still want analytics, Piwik is an excilent alternitive. It's easy to setup one Piwik install for multiple sites, on this site I'm using using a Piwik server from another site<sup id="fnref:other-site"><a class="footnote-ref" href="#fn:other-site">4</a></sup> that I run.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:useless">
<p>Where is that flameproof fire fighter's suit when you need it? And yes, I'm fully aware of the irony that <a href="https://xo.tc/adoption-of-new-technologies.html">last week's post</a> was about how great it is that Google have statistics about IPv6 addoption. <a class="footnote-backref" href="#fnref:useless" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:browsers">
<p>Yes... It would be great if we lived in a world where all our sites would just stick to standards complaint HTML and CSS and which browser people choose to use shouldn't be an issue. <a class="footnote-backref" href="#fnref:browsers" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:free">
<p>gratis not libre <a class="footnote-backref" href="#fnref:free" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:other-site">
<p>For those that are curious view this page source, I haven't tried to hide it. <a class="footnote-backref" href="#fnref:other-site" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>Adoption of new technologies2015-11-26T07:00:00+08:002015-11-26T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-11-26:/adoption-of-new-technologies.html<p>Google have published some <a href="https://www.google.com/intl/en/ipv6/statistics.html">statistics</a> about the rate of IPv6 adoption. They have a better view into traffic and adoption rates than most and so their statistics are generally considered to be the most accurate, but I've always found their graph a little puzzling. Some days it's around 9% and …</p><p>Google have published some <a href="https://www.google.com/intl/en/ipv6/statistics.html">statistics</a> about the rate of IPv6 adoption. They have a better view into traffic and adoption rates than most and so their statistics are generally considered to be the most accurate, but I've always found their graph a little puzzling. Some days it's around 9% and others it's about 7%.</p>
<p><img alt="IPv6 Adoption rates over years" src="https://xo.tc/images/google-IPv6-adoption-years.png"></p>
<p>It's clearly going up but for something that seems like it should be a fairly smooth graph<sup id="fnref:smooth"><a class="footnote-ref" href="#fn:smooth">1</a></sup> it seems to have a huge amount of fluctuation.</p>
<p>I couldn't work out why there was such variation until I started to zoom in and view the data over a few weeks rather than years.</p>
<p><img alt="IPv6 Adoption rates over weeks" src="https://xo.tc/images/google-IPv6-adoption-weeks.png"></p>
<p>When you zoom in a bit more you can see that there is a spike in IPv6 traffic over the weekend and then it drops off on weekdays. I have a theory that when people visit Google on weekdays most of them are at work. Many people are on an "enterprise" network. This means that changes move slowly, usually need a cost benefit analysis to change anything and changes need to be signed off by different folk.</p>
<p>While on the weekends they are on their home network or mobile phones and probably just get IPv6 as soon as their ISP rolls it out.</p>
<p><img alt="IPv6 Adoption rates over weekends" src="https://xo.tc/images/google-IPv6-adoption-weekends.png"></p>
<p>It seems reasonable to assume that IPv6 rollout is much more progressed for home users than it is for business.</p>
<p>Interestingly this is not the only place you can see these patterns. Wikipedia also shares some interesting <a href="https://grafana.wikimedia.org/dashboard/db/tls-ciphers">statistics</a> about which ciphers are being used in TLS connections by people browsing Wikipedia.</p>
<p><img alt="TLS Ciphers" src="https://xo.tc/images/wikipedia-ciphers.png"></p>
<p>On this graph, I've only shown two ciphers because I believe these two show the clearest example<sup id="fnref:example"><a class="footnote-ref" href="#fn:example">2</a></sup>. You can easily see a spike in the modern high-quality ciphers like AES on the weekends and a drop on weekdays. While low-quality ciphers like Triple DES are the reverse, with spikes Monday to Friday and then a drop off over the weekend. Again my theory is that it's because when people are at work they are using the work "Standard Operating Environment" which probably still includes IE8 as the only browser because "that's what works with the intranet". While at home, people use their browser of choice usually something more modern like Firefox or Chrome.</p>
<p>I suppose that saying "new technologies tend to be adopted by consumers before they are adopted by enterprise" isn't some revolutionary new insight. But it is interesting to see how clear and far-reaching the effects of that are, even down to changing how much a particular cipher is used on Wikipedia depending on if it's a Tuesday or a Sunday.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:smooth">
<p>By smooth, I mean that most people don't roll out IPv6 one day and then roll back to IPv4 the next just for kicks. <a class="footnote-backref" href="#fnref:smooth" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:example">
<p>It does happen across the board but it's harder to see when you have 20 or so ciphers shown at once. <a class="footnote-backref" href="#fnref:example" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Good Bye Google2015-11-19T07:00:00+08:002015-11-19T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-11-19:/good-bye-google.html<p>I'm planning on writing a series of posts tagged with "<a href="https://xo.tc/tag/good-bye-google.html">Good bye Google</a>" that will cover my progress over the last few year in leaving the Google eco-system and moving to open source self hosted alternatives.</p>
<p>I wanted to start with this post first though to explain my rational behind …</p><p>I'm planning on writing a series of posts tagged with "<a href="https://xo.tc/tag/good-bye-google.html">Good bye Google</a>" that will cover my progress over the last few year in leaving the Google eco-system and moving to open source self hosted alternatives.</p>
<p>I wanted to start with this post first though to explain my rational behind the decision. I think the first thing I should cover is why you should <strong>not</strong> migrate away from Google services. There are many good reasons to use Google's infrastructure;</p>
<ul>
<li>Google is significantly cheaper than running your own kit, even if you host everything on a single cheap VPS or hosted on your home ADSL connection it's still going to cost you.</li>
<li>Google is more reliable, there is just no way you can get the kind of uptime that Google has if your hosting stuff on a home ADSL connection or with a single VPS provider.</li>
<li>Google is more secure, you might be pretty good at locking your server down, and your going to be a much smaller target which is good, but Google has teams of Experts working on this.</li>
<li>Google is lot less work, hosting your own servers is not just a weekend setting them up then forget about it, at the very least you need to keep applying security patches and usually you will need to upgrade when new major versions of software come out and troubleshooting when things break. If you self host everything expect to spend a minimum of an hour or two every month on maintenance.</li>
<li>Google will <a href="http://lwn.net/Articles/649138/">fight government demands for your email in court</a> and has teams of lawyers that you simply couldn't afford.</li>
<li>Lastly I think it's a better user experience, this one could be debated until the cows come home because it's so subjective but I think Google do a pretty good job of UI design and integration between different Google services.</li>
</ul>
<p>I don't think Google is evil or unethical in some way. While I don't agree with every decision they make, on the whole I think they are mostly a pretty good company. So you might be wondering with all these downsides why would you go to self hosted? Well it's not for the faint hearted. For me it's mostly a mix of being a bit of a tinkerer by nature, I like to build things for the sheer joy of seeing how they work. Also I care about sovereignty of data more than I care about the other factors like user experience.</p>
<p>I think that Bruce Schneier has a great metaphor where he likens <a href="https://www.schneier.com/blog/archives/2012/12/feudal_sec.html">tech companies to feudal lords</a>. It's a great analogy and if you haven't seen it before I recommend reading it.</p>
<p>I will be updating this post with links to the relevant posts which will cover each one in more details but the services I had with Google were:</p>
<ul>
<li><strong>Analytics</strong> - I've moved to <a href="https://piwik.org/">Piwik</a>. Related <a href="https://xo.tc/using-piwik-analytics.html">post</a>.</li>
<li><strong>Android</strong> - I'm still using Android but I'm using <a href="http://cyanogenmod.org/">CynaogenMod</a> which has a lot of the Google services removed. Related <a href="https://xo.tc/using-cyanogenmod-on-the-samsung-galaxy-s4.html">post</a></li>
<li><strong>Calendar</strong> - I'm using <a href="http://owncloud.org">OwnCloud</a> with <a href="https://davdroid.bitfire.at">DAVdroid</a> to sync.</li>
<li><strong>Chrome Browser</strong> - This wasn't a big change because I always preferred <a href="https://www.mozilla.org/en-US/firefox/new/">FireFox</a> as my main browser. There were some developer features that chrome had and FireFox didn't for awhile, so sometimes I'd switch to Chrome but now I feel FireFox is ahead in terms of developer features.</li>
<li><strong>Contacts</strong> - I'm using <a href="http://owncloud.org">OwnCloud</a> with <a href="https://davdroid.bitfire.at">DAVdroid</a> to sync.</li>
<li><strong>Docs</strong> - I did look at <a href="http://www.fengoffice.com/web/">Feng Office</a> and ran it for a while, I've played with <a href="http://etherpad.org/">Etherpad</a> and a few others too. They were all ok but generally I just use LibreOffice and work offline.</li>
<li><strong>Drive</strong> - Using <a href="http://owncloud.org">OwnCloud</a>.</li>
<li><strong>Fonts</strong> - Depending on the license for the font, you can usually download it and host it yourself. EDIT 2016-06-23: I have downloaded the <a href="https://fonts.google.com/specimen/PT+Sans">fonts</a> used by this blog as they are "released with a libre license and can be freely redistributed". I am hosting the fonts for this site myself. So no connections are made to Google when loading this site. (Original text was "Although the theme for this blog uses Google fonts and I haven't moved yet.")</li>
<li><strong>Hangouts</strong> - I rarely used hangouts, maybe two or three times a year. But I use <a href="http://wiki.mumble.info/wiki/Main_Page">Mumble</a> and xmpp a bit. EDIT to add: I started using <a href="https://riot.im/">Riot</a> to chat and make video calls with my fiancé while she was in Vietnam for 3 months. It's works really well and I love it, related <a href="https://xo.tc/seting-up-matrix-synapse-and-riot-on-debian-8-jessie.html">post</a>.</li>
<li><strong>Mail</strong> - This is the big one, I have not migrated yet. I've played with Postfix, EXIM, Dovecot, spamassassin, rainloop, tutanota and a few other bits and pieces. I've got it setup and self hosted for a few of my less critical domains and it's working pretty well, but I haven't made the plunge yet for my main email.</li>
<li><strong>Maps</strong> - <a href="http://http://osm.org/">Open Street Maps</a> from the browser and <a href="http://osmand.net/">OsmAnd</a> on the phone. Related <a href="https://xo.tc/google-maps-vs-openstreetmap.html">post</a></li>
<li><strong>Play Store</strong> - <a href="https://f-droid.org/">F-Droid</a></li>
<li><strong>Reader</strong> - When Google Reader got end of lifed I'd been thinking about moving for a while and in a way it kicked off this whole migration. I moved to <a href="https://newsblur.com/">NewsBlur</a>, it's open source and can be self hosted but I've gone with the paid hosting version for now.</li>
<li><strong>Search</strong> - <a href="https://duckduckgo.com/">Duck Duck Go</a> in my experience the results are not quite as good as Google but they are not too bad. I like the <a href="https://duckduckgo.com/bang">bang searching</a></li>
<li><strong>YouTube</strong> - Have not migrated yet, I only use YouTube to watch videos I've never posted anything. But my mate from work has been using <a href="http://www.mediagoblin.org/">Media Goblin</a> and <a href="https://media.bscable.info/">his Media Goblin site</a> looks pretty good.</li>
</ul>My Experience in the Let's Encrypt Limited Beta.2015-11-12T07:00:00+08:002015-11-12T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-11-12:/my-experience-in-the-lets-encrypt-limited-beta.html<p>I was lucky enough to get into the <a href="https://letsencrypt.org/">Let's Encrypt</a> Limited Beta. I signed up from the link on their <a href="https://community.letsencrypt.org/t/beta-program-announcements/1631">community page</a> and a few days later got the email saying the domains I'd signed up with had been white listed and I could get certificates now.</p>
<p>I went to …</p><p>I was lucky enough to get into the <a href="https://letsencrypt.org/">Let's Encrypt</a> Limited Beta. I signed up from the link on their <a href="https://community.letsencrypt.org/t/beta-program-announcements/1631">community page</a> and a few days later got the email saying the domains I'd signed up with had been white listed and I could get certificates now.</p>
<p>I went to the <a href="https://letsencrypt.readthedocs.org/en/latest/using.html#installation-and-usage">documentation</a> page an started installing the Let's Encrypt client. It all installed and ran without a hitch<sup id="fnref:without-a-hitch"><a class="footnote-ref" href="#fn:without-a-hitch">1</a></sup>.</p>
<p>Just to try it out I ran it using all the defaults without changing anything and it worked pretty well, it created and installed a certificate, it configured Apache to use SSL and just worked. But for production my situation is a bit different because I've been using <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning">public key pinning</a> on my servers so I needed to keep the same key pair.</p>
<p>I found that you could use an existing Certificate Signing Request (CSR), so I made a open config and <a href="http://apetec.com/support/GenerateSAN-CSR.htm">edited</a> it to include my subject alternative names. To setup my certificates I:</p>
<ul>
<li>Generated a CSR, <code>openssl req -out CSR.pem -key www.xo.tc.key -new -sha256 -config /etc/ssl/openssl_san.cnf</code></li>
<li>submitted that to let's encrypt <code>./letsencrypt-auto --csr /home/michael/ssl/CSR.pem certonly --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory</code></li>
</ul>
<p>I was getting really excited, and then... it didn't work. After a quick search on the <a href="https://community.letsencrypt.org/t/asn1-error-when-using-csr/2188">community forums</a> I found that the CSR needed to be in DER format so I:</p>
<ul>
<li>converted it to DER encoding <code>openssl req -inform pem -outform der -in CSR.pem -out CSR.der</code></li>
<li>submitted that to let's encrypt <code>./letsencrypt-auto --csr /home/michael/ssl/CSR.der certonly --agree-dev-preview --server</code></li>
</ul>
<p>I got an error message <code>Error: unauthorized :: The client lacks sufficient authorization :: Error creating new cert :: Authorizations for these names not found or expired: xo.tc</code></p>
<p>I though "this is a Beta so that's to be expected" so I went to the <a href="https://community.letsencrypt.org">community forums</a> again and spent a bit of time looking around. I found a lot of similar issues where people where getting <code>The client lacks sufficient authorization</code> but they seemed mostly to relate to issues with domains that had not been white listed yet.</p>
<p>After a bit of guessing and trying different things to see if I could get it to work I found that it an issue with the Certificate Signing Request. I worked out what I was doing wrong, I had the Subject as the root domain <code>CN=xo.tc</code> and in the Subject Alternative Name I just had the subdomain <code>DNS:www.xo.tc</code> but you <a href="https://stackoverflow.com/questions/5935369/">need</a> both names in the Subject Alternative Name section so in my case <code>DNS:www.xo.tc, DNS:xo.tc</code>. In the past all the CAs I've used have been forgiving of my poorly formatted CSRs so I'd never realised I was doing it wrong.</p>
<p>After I recreated the Certificate Signing Request and ran the commans</p>
<div class="highlight"><pre><span></span><code><span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">out</span> <span class="n">CSR</span><span class="o">.</span><span class="n">der</span> <span class="o">-</span><span class="n">outform</span> <span class="n">der</span> <span class="o">-</span><span class="n">key</span> <span class="n">www</span><span class="o">.</span><span class="n">xo</span><span class="o">.</span><span class="n">tc</span><span class="o">.</span><span class="n">key</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">sha256</span> <span class="o">-</span><span class="n">config</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">openssl_sans</span><span class="o">.</span><span class="n">cnf</span>
<span class="o">./</span><span class="n">letsencrypt</span><span class="o">-</span><span class="n">auto</span> <span class="o">--</span><span class="n">agree</span><span class="o">-</span><span class="n">dev</span><span class="o">-</span><span class="n">preview</span> <span class="o">--</span><span class="n">server</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">acme</span><span class="o">-</span><span class="n">v01</span><span class="o">.</span><span class="n">api</span><span class="o">.</span><span class="n">letsencrypt</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">directory</span> <span class="n">auth</span> <span class="o">--</span><span class="n">csr</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">michael</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">CSR</span><span class="o">.</span><span class="n">der</span>
</code></pre></div>
<p>And it worked. I then updated my apache config to use the new certificates and I was done.</p>
<p>Despite a couple of small hiccups I think the experience with Let's Encrypt was very good and I'm excited to see it progress. I think the most benefit will not be for crypto geeks like me who actually enjoy playing with SSL but from people who didn't have SSL before so don't need to worry about using an existing key pair or doing anything funky, they can just run <code>./letsencrypt-auto</code> answer a a few simple questions like "Which domain names do you want to secure?" which was prepopulated with the correct answer anyway and then they are done.</p>
<p>Even better would be if other tools and hosting services integrated with the <a href="https://github.com/letsencrypt/acme-spec">ACME protocol</a> so encryption is just on by default. This would be great for people who have content and want to create websites or send email without needing to know all the technical details. Web servers like Apache and Nginx could automatically setup TLS. It's not just websites, I can imagine in the not too distant future running through the questions in the setup for Exim or Postfix and one of them being "Do you want Exim to automatically setup and manage certificates?" that that will be it, you just hit "Yes" and you have your SMTP running over StartTLS and/or SMTPS no messing about with Certification Authorities or managing keys.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:without-a-hitch">
<p>I'm running a very vanilla Debian install so I'd be a little supprised if it didn't work, but it is in beta. <a class="footnote-backref" href="#fnref:without-a-hitch" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Setting Up Full Disk Encryption on Debian Jessie2015-11-05T07:00:00+08:002015-11-05T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-11-05:/setting-up-full-disk-encryption-on-debian-jessie.html<p><strong>Update 2017-06-29:</strong> I've done an <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-9-stretch.html">updated version</a> of this tutorial with Debian Stretch. The updated version is simplified, it uses the graphical installer and guided partitioning. However, if you want to manually partition your disks, this tutorial will still work for Debian Stretch.</p>
<p>This is part 2 of a two …</p><p><strong>Update 2017-06-29:</strong> I've done an <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-9-stretch.html">updated version</a> of this tutorial with Debian Stretch. The updated version is simplified, it uses the graphical installer and guided partitioning. However, if you want to manually partition your disks, this tutorial will still work for Debian Stretch.</p>
<p>This is part 2 of a two part post, part 1 is a bit of a primer about <a href="https://xo.tc/full-disk-encryption-on-linux.html">Full Disk Encryption on Linux</a>.</p>
<p>I should point out that in the tutorial I say "Full" disk encryption but that's not entirely correct there is still a small partition <code>/boot</code> that's unencrypted. That contains your kernel, grub config and initrd and needs to be unencrypted so we can start booting and decrypt the rest of the OS. If you're thinking "But then someone with physical access could replace my kernel with a backdoored one" your absolutely correct. It's called an "Evil Maid Attack"<sup id="fnref:evil-maid"><a class="footnote-ref" href="#fn:evil-maid">1</a></sup> and <a href="https://mjg59.dreamwidth.org/">Matthew Garrett</a> has some good write ups on them. There are ways you can protect against such attacks a Trusted Platform Module to <a href="http://kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/">only boot a signed kernel</a> or burning your <code>/boot</code> partition to a CD-R so it can't be changed. But these are out of scope for the tutorial.</p>
<p>For this tutorial I'm going to assume you're familiarly with the Debian installer and I'm really only going to cover the bits that relate to disk encryption. When running through the Debian installer you can pick to manually partition disk. You can split your disks into as many partitions as you like, but for this tutorial we are going to have four partitions.</p>
<ul>
<li><code>/boot</code> Unencrypted</li>
<li><code>/</code> root volume, encrypted with a passphrase.</li>
<li><code>/home</code> Encrypted with a key file (that's stored on <code>/</code>).</li>
<li><code>SWAP</code> Encrypted with a random key generated each time we boot.</li>
</ul>
<p>Run through the standard Debian installer until you get to the section on disk partitioning.</p>
<p>Select "Manual"
<img alt="Partition Manually" src="https://xo.tc/images/debian-full-disk-encryption-01.png"></p>
<p>Pick the disk you want to use
<img alt="Select Disk" src="https://xo.tc/images/debian-full-disk-encryption-02.png"></p>
<p>If it's a new disk create a partition table or wipe the existing one.<sup id="fnref:wipe-disks"><a class="footnote-ref" href="#fn:wipe-disks">2</a></sup>
<img alt="Wipe Disk" src="https://xo.tc/images/debian-full-disk-encryption-03.png"></p>
<p>Select the free space
<img alt="Select free space" src="https://xo.tc/images/debian-full-disk-encryption-04.png"></p>
<p>Create a new partition
<img alt="Create a new partition" src="https://xo.tc/images/debian-full-disk-encryption-06.png"></p>
<p>I'm currently running my laptop (which only has an 80GB SSD) with a 100MB boot partition and it's mostly ok but I forgot to run <code>sudo apt-get autoremove</code> for a while and my <code>/boot</code> filled up once. It's not a hard fix but I'd recommend 256MB it's not that much space and one less thing to worry about.
<img alt="256 MB Partition" src="https://xo.tc/images/debian-full-disk-encryption-07.png"></p>
<p>Create it as a Primary Partition
<img alt="Primary Partition" src="https://xo.tc/images/debian-full-disk-encryption-08.png"></p>
<p>At the Beginning
<img alt="Beginning" src="https://xo.tc/images/debian-full-disk-encryption-09.png"></p>
<p>Change the mount point to <code>/boot</code>
<img alt="Mount Point" src="https://xo.tc/images/debian-full-disk-encryption-10.png"></p>
<p><img alt="Mount Point" src="https://xo.tc/images/debian-full-disk-encryption-11.png"></p>
<p>And finish.
<img alt="Mount Point" src="https://xo.tc/images/debian-full-disk-encryption-12.png"></p>
<p>Next we will setup the root volume in this example I'm going with 64GB
<img alt="Root Volume" src="https://xo.tc/images/debian-full-disk-encryption-13.png">
<img alt="Root Volume" src="https://xo.tc/images/debian-full-disk-encryption-14.png">
<img alt="Root Volume" src="https://xo.tc/images/debian-full-disk-encryption-15.png">
<img alt="Root Volume" src="https://xo.tc/images/debian-full-disk-encryption-16.png">
<img alt="Root Volume" src="https://xo.tc/images/debian-full-disk-encryption-17.png"></p>
<p>Now select "Use As"
<img alt="Root Volume" src="https://xo.tc/images/debian-full-disk-encryption-18.png"></p>
<p>And change it to "physical volume for encryption"
<img alt="physical volume for encryption" src="https://xo.tc/images/debian-full-disk-encryption-18.png">
<img alt="physical volume for encryption" src="https://xo.tc/images/debian-full-disk-encryption-19.png">
<img alt="physical volume for encryption" src="https://xo.tc/images/debian-full-disk-encryption-20.png"></p>
<p>Now we do the same again for our <code>/home</code> partition
<img alt="Home Volume" src="https://xo.tc/images/debian-full-disk-encryption-21.png">
<img alt="Home Volume" src="https://xo.tc/images/debian-full-disk-encryption-22.png"></p>
<p>Now I'm creating a volume that 8GB less than the remaining space on the disk, to leave 8GB for swap.
<img alt="Home Volume" src="https://xo.tc/images/debian-full-disk-encryption-23.png"></p>
<p>Finally we create a partition that we will (eventualy) use for swap. However simply create a partition, don't set it as swap or use / format it yet.
<img alt="Swap Partition" src="https://xo.tc/images/debian-full-disk-encryption-24.png">
<img alt="Swap Partition" src="https://xo.tc/images/debian-full-disk-encryption-25.png">
<img alt="Swap Partition" src="https://xo.tc/images/debian-full-disk-encryption-26.png">
<img alt="Swap Partition" src="https://xo.tc/images/debian-full-disk-encryption-27.png">
<img alt="Swap Partition" src="https://xo.tc/images/debian-full-disk-encryption-28.png"></p>
<p>Now select "Configure encrypted volumes"
<img alt="Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-29.png"></p>
<p>Write the changes to disk
<img alt="Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-30.png"></p>
<p>Create encrypted volumes
<img alt="Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-31.png"></p>
<p>Select the encrypted volumes
<img alt="Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-32.png"></p>
<p>Finish
<img alt="Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-33.png"></p>
<p>Enter a passphrase for your root volume and your home volume. We will change the home volume to a key later.
<img alt="Set Passphrase" src="https://xo.tc/images/debian-full-disk-encryption-34.png">
<img alt="Set Passphrase" src="https://xo.tc/images/debian-full-disk-encryption-35.png">
<img alt="Set Passphrase" src="https://xo.tc/images/debian-full-disk-encryption-36.png">
<img alt="Set Passphrase" src="https://xo.tc/images/debian-full-disk-encryption-37.png"></p>
<p>Now select the encrypted volume and map them to <code>/</code> and <code>/home</code>
<img alt="Map Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-38.png">
<img alt="Map Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-39.png">
<img alt="Map Encrypted Volumes" src="https://xo.tc/images/debian-full-disk-encryption-40.png"></p>
<p>Select finish and write changes to disk
<img alt="Finish" src="https://xo.tc/images/debian-full-disk-encryption-41.png"></p>
<p>The installer will complain that we don't have a swap file setup yet, but that's ok we can fix that later.
<img alt="Swap File" src="https://xo.tc/images/debian-full-disk-encryption-42.png"></p>
<p>And finish, then continue with the installer as usual.
<img alt="Finish" src="https://xo.tc/images/debian-full-disk-encryption-43.png"></p>
<p>When you finish the installer and reboot you should now have a system with full disk encryption but there are a couple of things we need to fix up.</p>
<p>First we will setup the swap partition to use a random key at boot. We need to edit <code>/etc/crypttab</code> and add <code>sda7_crypt /dev/sda7 /dev/urandom swap</code>. Then we need to edit <code>/etc/fstab</code> and add <code>/dev/mapper/sda7_crypt none swap sw 0 0</code></p>
<p>Next we are going to use a key file instead of a passphrase for our home partition. To do that we will generate a file with some random data in there.</p>
<div class="highlight"><pre><span></span><code>$ sudo su
<span class="c1"># mkdir /etc/keys</span>
<span class="c1"># dd if=/dev/random of=/etc/keys/sda6.key bs=1 count=32</span>
<span class="c1"># chmod 400 /etc/keys/sda6.key</span>
</code></pre></div>
<p>Next we add that as a key to be able to decrypt that volume <code>sudo cryptsetup luksAddKey /dev/sda6 /etc/keys/sda6.key</code></p>
<p>and then we remove the current passphrase <code>sudo cryptsetup luksRemoveKey /dev/sda6</code></p>
<p>then we edit <code>/etc/crypttab</code> on the line that has <code>sda6_crypt</code> replace the word <code>none</code> with <code>/etc/keys/sda6.key</code></p>
<p>And your done. Now when you boot you should just be asked for the one passphrase.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:evil-maid">
<p>Every time I hear the term "Evil Maid Atack" I get a mental image of a big beefy hairy security guy in a French maid outfit with a feather duster. It's horrible. <a class="footnote-backref" href="#fnref:evil-maid" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:wipe-disks">
<p>It's about this time that I should point out that formatting your disk and installing a new OS will remove all the data on a disk, make sure you have backups. But I feel like if your installing Linux with full disk encryption your probably already across that. <a class="footnote-backref" href="#fnref:wipe-disks" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Full Disk Encryption on Linux2015-10-29T07:00:00+08:002015-10-29T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-10-29:/full-disk-encryption-on-linux.html<p>Full disk encryption on Linux is surprisingly easy once you pick up a few basic commands you are good to go. Although that being said GPG is surprisingly easy too, or at least basic usage is not that hard. But as I pointed out in <a href="https://xo.tc/the-best-crypto-is-the-crypto-you-dont-see.html">The best crypto is the …</a></p><p>Full disk encryption on Linux is surprisingly easy once you pick up a few basic commands you are good to go. Although that being said GPG is surprisingly easy too, or at least basic usage is not that hard. But as I pointed out in <a href="https://xo.tc/the-best-crypto-is-the-crypto-you-dont-see.html">The best crypto is the crypto you don't see</a> it's still far too hard because you have to think about it and know your using it unlike full disk encryption on a Chromebook which just happens without the user even knowing.</p>
<p>This is Part 1 of a two part post, In part 2 of this post I'm going to run through a tutorial on <a href="https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html">Setting Up Full Disk Encryption on Debian Jessie</a>. Although most of this post should be fairly applicable to any flavour of Linux, it's a quick primer on LUKS. There are four terms that I see used a fair bit, often used interchangeably and in subtlety wrong ways. That can make things very confusing to newcomers.</p>
<ul>
<li>
<p><strong>LUKS</strong> - LUKS (pronounced like 'lux') stands for Linux Unified Key Setup and is a standard for disk encryption. There have been many different disk encryption tools on Linux and each setting up encrypted volumes in a slightly different way meaning the encrypted volumes created with one program (or sometimes even one version of a program) were not compatible with others. So LUKS was born to be a single unified standard or specification that everyone could stick to.</p>
</li>
<li>
<p><strong>dm-crypt</strong> - dm-crypt a kernel module used map encrypted volumes and make them look like devices so they can be mounted. It's the "reference implementation" of LUKS and as such is the de facto standard for using LUKS. But there are other tools that can mount LUKS volumes like <a href="https://github.com/t-d-k/LibreCrypt">LibreCrypt</a><sup id="fnref:LibreCrypt"><a class="footnote-ref" href="#fn:LibreCrypt">1</a></sup> formerly DoxBox for Windows and dm-crypt is not just limited to LUKS volumes, it can open other encryption formats like TrueCrypt volumes.</p>
</li>
<li>
<p><strong>cryptsetup</strong> - cryptsetup a commandline interface for managing dm-crypt. Again it's very much the standard but other tools for managing dm-crypt do exist, for exmaple there is <a href="http://mhogomchungu.github.io/zuluCrypt/">zuluCrypt</a> a nice GUI manager.</p>
</li>
<li>
<p><strong>Full Disk Encryption on Linux</strong> -This is obviously a generic term that should cover all disk encryption tools on Linux but what I have often found reading forums and mailing lists is that because the LUKS/dm-crypt/cryptsetup combo is so common it's become the de facto standard and so unless people actually specify otherwise that's usually what they mean.</p>
</li>
</ul>
<p>One of the nice things about the LUKS format is that it has the 8 key slots. The way it works is that the bulk of the data encrypted using a master key. There are eight key slots each of which can contain an encrypted copy of the master key which means if you want to change the password you don't need to re-encrypt the whole volume again with a new key, you can simply re-encrypt the master key with the new that password in the key slot. This also means you could have up to eight different passwords to decrypt the volume.</p>
<p><img alt="LUKS Volume" src="https://xo.tc/images/luks-volume.png"></p>
<p>A practical use for this would be if you were handing out employee laptops, key slot one could contain a key known to the IT Department, while key slot two could contain a key set by the user. This means that the user could return their laptop and the IT Department who could decrypt it without knowing what the users password is and similarly the user can decrypt their laptop without the IT Departments key.</p>
<p>It also means if the user wants to change their password they can change it with out needing to re-encrypt the whole disk, instead they simply decrypt their key slot and re-encrypt the master key with their new password.</p>
<p>This design also has some drawbacks, one is that the master key is stored in the header and if that gets damaged, corrupted or lost for some reason you lose access to the whole volume. Better keep backups.</p>
<p>The other drawback is that because the master key doesn't change when you change the password anyone who knows the master key can still access the drive. So in the example with employee laptops, if IT got the laptop back, wiped key slot 2 and set it up with a new password for a new user. If the old user made a backup of the header / master key they can still access the drive even though they don't know the current password.</p>
<p>Now a key doesn't have to be a password it can also be a file, this can be incredibly useful because then you can add an entry into <code>/etc/crypttab</code> to automatically decrypt volumes. You can also set the key to be generated from <code>/etc/urandom</code> automatically each time you boot giving you a new non-persistent key for your swap file or other scratch drive that you don't want to survive a reboot.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:LibreCrypt">
<p>I haven't actually used LibreCrypt, I'm just aware that it's a Windows implimentation of LUKS. <a class="footnote-backref" href="#fnref:LibreCrypt" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Tunneling data over DNS2015-10-22T07:00:00+08:002015-10-22T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-10-22:/tunneling-data-over-dns.html<p>This is an overview of how Tunneling data over DNS works, for a tutorial see <a href="https://xo.tc/how-to-tunnel-data-over-dns.html">How to tunnel data over DNS</a>.</p>
<p>Tunneling data over DNS isn't a new idea but it's one that surprisingly few people even in the security industry are aware of. Software to do dns tunneling has …</p><p>This is an overview of how Tunneling data over DNS works, for a tutorial see <a href="https://xo.tc/how-to-tunnel-data-over-dns.html">How to tunnel data over DNS</a>.</p>
<p>Tunneling data over DNS isn't a new idea but it's one that surprisingly few people even in the security industry are aware of. Software to do dns tunneling has been around since at least <a href="http://dnstunnel.de/">2006</a> and possibly before that. When I first heard about DNS Tunneling I completely misunderstood it and though it was like running something like an <a href="https://xo.tc/changing-ssh-from-port-22.html">SSH Server on port 53</a> my responce was along the lines of "Sure but you just lock outbound connections on port 53 down, only alow connections from your DNS servers and only to your upstream DNS servers that will stop people tunneling traffic over port 53".</p>
<p>But it's much more subtle than that. Consider the following network<sup id="fnref:network-diagram"><a class="footnote-ref" href="#fn:network-diagram">1</a></sup>
<img alt="dns tunnle network" src="https://xo.tc/images/dns-tunnel-network.png"></p>
<p>I've split each of the services up into individual servers to make it easier to follow although in reality it's more likely the whole thing is just an all in one Firewall/Router/Proxy/Access point/DNS/whatever device.</p>
<p>Now at first glance it looks like the only way go get on the net is through the Horrible Web Proxy. All out bound connection on port 53 must come from 10.1.1.5 and go to 8.8.8.8 and we don't control either of those. All connections on 80 and 443 must go through Horrible Web Proxy which is probably asking for credit card details and spying on our data at the same time. But we are not out of options!</p>
<p>The DNS server will happily talk to us without a credit card, because "hey, it's just DNS." and you need DNS to be working to resolve websites so you can start using the Horrible Web Proxy. So if we do an lookup for a txt record for a sub-domain where you control the Authoritative DNS Server. The request goes to 10.1.1.5 which doesn't have the result cached (becasue the record is unique and not cached) so it asks the upstream server 8.8.8.8. That's allowed out through the fire wall and then 8.8.8.8 in turn asks the authoritative server which replies with a txt record that is returned to you at 10.1.1.73.</p>
<p>So for example you look up {data_to_send.base32}.dns-tunnel.xo.tc and it replies with "{data_as_reply.base64}" as the txt record.</p>
<p>This technique is not only useful for browsing the web when stuck behind a captive portal, it can also be useful for people wanting to quietly exfiltrate data from a network where there is a Data Loss Prevention or other systems in place to prevent or detect outgoing data. I heard a story once<sup id="fnref:story"><a class="footnote-ref" href="#fn:story">2</a></sup> where person was doing some security training and heard about DNS Tunneling. He went pale and he said something like "We just saw a huge amount of DNS traffic leaving our network a couple of months ago and couldn't work out what it was. We just though it was a server malfunctioning." I'm guessing they had all the joys of rolling out incident response to look forward to after that.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:network-diagram">
<p>This <a href="https://xo.tc/images/dns-tunnel-network.xml">network diagram</a> was drawn with <a href="https://www.draw.io/">draw.io</a> a free drawing tool. <a class="footnote-backref" href="#fnref:network-diagram" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:story">
<p>I think it was on <a href="http://risky.biz">risky business</a> around the time of the 2014 AusCERT conference but I can't seem to find the episode. <a class="footnote-backref" href="#fnref:story" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Security and the Media2015-10-15T07:00:00+08:002015-10-15T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-10-15:/security-and-the-media.html<p>It's time for me to don my grumpy old man pants and have a whinge about how the attention of the main stream media is like a kitten with glittery bauble. Running all over the place focusing on the flashy and the new instead of focusing on the real issues …</p><p>It's time for me to don my grumpy old man pants and have a whinge about how the attention of the main stream media is like a kitten with glittery bauble. Running all over the place focusing on the flashy and the new instead of focusing on the real issues. Now this is by no means an issue constrained to just computer security, it happens in all fields but that's what I'm going to be focusing on.</p>
<p>I'd like to run through a few examples where I look at an incident that got a lot of media coverage and a comparable one that got almost none.</p>
<h3>Ashley Madison Vs Office of Personnel Management</h3>
<p>First let's look at two large data breaches that happened in the last 6 months, the <a href="https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach">Office of Personnel Management data breach</a> (OPM) and the <a href="https://en.wikipedia.org/wiki/Ashley_Madison_data_breach">Ashley Madison data breach</a>.</p>
<p>Both were disclosed about a month apart, the OPM breach kind of made it into the main stream press (In Australia at least) but was really a non-event. Despite the fact that a significant amount of very personal details was leaked about tens of millions of people. It was not just information about personnel leaked but details of their friends, family and even neighbours. There was a recent update that <a href="http://www.wired.com/2015/09/opm-now-admits-5-6m-feds-fingerprints-stolen-hackers/">over 5 million fingerprints</a> were lost, in a world where we are using our fingerprints to unlock smart phones it this is a serious issue<sup id="fnref:fingerprints"><a class="footnote-ref" href="#fn:fingerprints">1</a></sup>.</p>
<p>Meanwhile the Ashley Madison breach was announced and it was a media frenzy. Stories where running wild because of the saucy nature of the site. There were announcers<sup id="fnref:announcers"><a class="footnote-ref" href="#fn:announcers">2</a></sup> on the main stream TV and Radio stations giving the story a good run in peak times.</p>
<h3>Heartblead Vs CVE 2015-0093</h3>
<p>The odds are pretty good you won't even know what <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0093">CVE-2015-0093</a> is unless you look it up, and that's completely understandable. Unlike <a href="http://heartbleed.com/">Heartbleed</a> it did not have it's own fancy name, logo, dedicated website and PR campaign. I heard ridiculous terms bandied about with heartbleed even from reputable names like <a href="https://www.schneier.com/blog/archives/2014/04/heartbleed.html">Bruce Schneier</a> describing saying</p>
<blockquote>
<p>"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.</p>
</blockquote>
<p>yet if I was to have read the two CVEs with no background, having never seen any of the hype at all</p>
<blockquote>
<p>The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.</p>
</blockquote>
<p>and</p>
<blockquote>
<p>Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093.</p>
</blockquote>
<p>I wonder which I'd be more worried about; the remote code execution as root from simply viewing<sup id="fnref:viewing-a-font"><a class="footnote-ref" href="#fn:viewing-a-font">3</a></sup> a font that could be embedded in a web page or PDF (regardless of browser or PDF viewer used) or the information disclosure bug that could leak any data (including private keys) that was in memory. The adobe font driver bug just got a CVE and a <a href="https://technet.microsoft.com/library/security/ms15-021">patch</a> without making headlines. Although there was an incredibly in depth write up over at <a href="http://googleprojectzero.blogspot.com.au/2015/07/one-font-vulnerability-to-rule-them-all.html">project zero</a> if your interested.</p>
<p>Now I want to be clear here, heartbleed was a very serious bug. It affected a huge percentage of the internet facing infrastructure and will show up in unexpected (and hard to patch) locations for years to come, was very easy to exploit and had fairly serious ramifications but I don't think it would have got even a tenth of the media coverage it did without massive PR campaign behind it.</p>
<h3>The "Unhackable kernel" Vs Wordpress 3.7+ Background Updates</h3>
<p>The "<a href="https://www.google.com.au/search?q=unhackable+kernel">Unhackable Kernel</a>" was the thing that triggered this whole rant. I turned on the radio the other day and a pop science show came on with a couple of guys talking about how the University of New South Wales had developed an "Unhackable operating system<sup id="fnref:operating-system"><a class="footnote-ref" href="#fn:operating-system">4</a></sup>" and all our security problems will be solved in the next couple of years as this thing gets rolled out, and wouldn't it have been great if Ashley Madison had been using it, it could have stopped that breach. Now I want to be careful not to rip into the wrong people here. The <a href="http://sel4.systems">seL4</a> project is very interesting research that is just starting to have some real world practical applications. It's done by some very smart and reasonable people who do genuinely understand security. From their FAQs</p>
<blockquote>
<p><strong>If I run seL4, is my system secure?</strong></p>
<p>Not automatically, no. Security is a question that spans the whole system, including its human parts. An OS kernel, verified or not, does not automatically make a system secure. In fact, any system, no matter how secure, can be used in insecure ways.</p>
</blockquote>
<p>But I'm not sure what happened if it was an over enthusiastic press release or a media groups misunderstanding but it's been getting a fair bit of traction.</p>
<p>Meanwhile there are many great wins for security happen every day with real wold effects. Like when WordPress switched on <a href="https://wordpress.org/news/2013/10/basie/">automatic security updates</a> in 3.7. They removed one of the top causes of websites getting hacked and defaced, and there was hardly a peep from the media. In fact from their <a href="https://codex.wordpress.org/Version_3.7">release notes</a>:</p>
<blockquote>
<p>"You might not notice a thing, and we’re okay with that."</p>
</blockquote>
<h3>Charlie Miller and Chris Valasek 2013 Vs Charlie Miller and Chris Valasek 2015</h3>
<p>In 2013 Charlie Miller and Chris Valasek <a href="https://www.youtube.com/watch?v=n70hIu9lcYo">presented</a> at DEF CON 21 and then <a href="https://www.youtube.com/watch?v=OobLb1McxnI">again</a> at DEF CON 23. Now admittedly the bugs they were talking about at DEF CON 23 were more interesting but the underlying vulnerability (that you can get to the CAN bus and reflash chips from the entertainment system) didn't really change. But the first response could largely be summed up as "Meh, you need physical access to do any of that stuff, and if you had physical access you could just slash the tires or whatever... Come back when you have something real to show us." It was referred to as "<a href="https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.html">Junk Hacking</a>". Then before DEF CON 23 after they disabled the breaks on <a href="http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/">Andy Greenberg</a> while he was driving a Jeep down the highway. They got an amazing writeup and suddenly the response could be summed with the headline <a href="http://www.foxnews.com/tech/2015/07/21/patch-your-chrysler-vehicle-before-hackers-kill/">Patch your Chrysler vehicle before hackers kill you</a>.</p>
<p>There is now a <a href="http://www.wired.com/2015/08/chrysler-harman-hit-class-action-complaint-jeep-hack/">class action law suit</a> about this, but the real vulnerability (or at least the one addressed by the suit) that the CAM bus should never have been physically connected to the entertainment system is not something new. The new part is the PR drama.</p>
<p>Now I understand that journalist write what people want to read. I understand that a big PR splash can help get bugs fixed. But it doesn't mean that I have to like it.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:fingerprints">
<p>Unlike passwords you can't just reset your fingerprint after it gets leaked. <a class="footnote-backref" href="#fnref:fingerprints" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:announcers">
<p>With an almost comical lack of understanding about even basic IT. <a class="footnote-backref" href="#fnref:announcers" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:viewing-a-font">
<p>I believe you don't even need to "view" the font, just load it into memory to trigger this vulnerability. So potentially it could affect a headless box that was parsing PDFs. <a class="footnote-backref" href="#fnref:viewing-a-font" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:operating-system">
<p>Not just a kernel any more but a full blown OS, it's amazing how these rumours grow <a class="footnote-backref" href="#fnref:operating-system" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>Estimating the security of software2015-10-08T07:00:00+08:002015-10-08T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-10-08:/estimating-the-security-of-software.html<p>Estimating the security of software is something that most systems administrators do instinctively, whether consciously or subconsciously. I have heard people say things like "Don't use WordPress it's always getting hacked", "Linux is more secure than Windows"<sup id="fnref:linux-windows"><a class="footnote-ref" href="#fn:linux-windows">1</a></sup> or "Macs don't get viruses"<sup id="fnref:mac-virus"><a class="footnote-ref" href="#fn:mac-virus">2</a></sup>. All of these are estimates about …</p><p>Estimating the security of software is something that most systems administrators do instinctively, whether consciously or subconsciously. I have heard people say things like "Don't use WordPress it's always getting hacked", "Linux is more secure than Windows"<sup id="fnref:linux-windows"><a class="footnote-ref" href="#fn:linux-windows">1</a></sup> or "Macs don't get viruses"<sup id="fnref:mac-virus"><a class="footnote-ref" href="#fn:mac-virus">2</a></sup>. All of these are estimates about the relative security of software.</p>
<p>The problem with looking at the security of software is that it's only possible to prove the negative (i.e. this software <strong>is not</strong> secure) but it's not possible to prove the positive (i.e. this software <strong>is</strong> secure) and once a piece of software become sufficiently complex I don't believe it is practically possible to write software with no bugs at all.</p>
<p>Let's take for example two piece's of software <a href="https://www.openoffice.org/">Apache OpenOffice</a> and <a href="https://www.libreoffice.org/">LibreOffice</a> both were affected by <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1774">CVE-2015-1774</a> and at the time of this writing it hasn't been <a href="https://www.openoffice.org/security/cves/CVE-2015-1774.html">patched</a> in OpenOffice so I could prove the negative and say "OpenOffice is not secure, if a users opens a malicious .odt file<sup id="fnref:odt-file"><a class="footnote-ref" href="#fn:odt-file">3</a></sup> it could result in remote code execution.". While with LibreOffice it has been <a href="https://www.libreoffice.org/about-us/security/advisories/cve-2015-1774/">patched</a> and there are (again, at the time of this writing) no <a href="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=LibreOffice">public CVEs</a> so I could say "There are no public vulnerabilities that have not been patched." but that's not the same as saying it's secure.</p>
<p>There are probably bugs in LibreOffice that have been discovered but haven't been disclosed, found by folks like Vupen and other shady groups selling 0-days on the black market. And there are undoubtedly bugs that simply haven't been found by anyone yet.</p>
<p>So in the case of software where there are no known vulnerabilities it can't be proven to be secure, or proven to be insecure we are left in a situation where we have to estimate.</p>
<p>I don't think we as an industry have a good way of estimating the security health of software but I think one would be useful. There are some good indicators, a great example is the Linux Foundation's Core Infrastructure Initiative, which recently tried to <a href="https://lwn.net/Articles/651268/">score open source projects</a>, although they were not just assessing security but also impact (e.g. is the program widely used, dose it handle network traffic, etc...).</p>
<p>One interesting metric is CVEs but as mentioned in the <a href="https://www.coreinfrastructure.org/sites/cii/files/pages/files/pub_ida_lf_cii_070915.pdf">Core Infrastructure white paper</a>, it can be misleading because a low number could indicate a lack of review (i.e. no one is looking for bugs) or it could be that there are very few bugs to find. Conversely a high number of CVEs could mean that the software is full of bugs or that it's getting a lot of attention and bugs are found and fixed quickly.</p>
<p>Other good metrics include the choice of programming language and framework. I recall reading an argument on line<sup id="fnref:argument"><a class="footnote-ref" href="#fn:argument">4</a></sup> where one user said something like "There are no bad programming languages, only bad developers" to which the response was "Then it's reasonable to develop in <a href="https://en.wikipedia.org/wiki/Brainfuck">Brainfuck</a>?". I think that sums it up perfectly, some languages are simply a better choice and make it easier to write secure software.</p>
<p>Our opinions of software security can also be biased by the popularity of software. I think both Windows and WordPress suffer from this to a degree, for example according to <a href="http://w3techs.com/technologies/overview/content_management/all">W3Techs Surveys</a> 58.7% of sites where they could detect the CMS it was WordPress. But even if we look at the lower number 24.5% of all sites run WordPress. If you think that almost 1 in every 4 sites on the net runs WordPress then it's not surprising that a lot of the horrible hacked sites that are being used to drop malware are running out of date WordPress installs.</p>
<p>Similarly if you think how many times you have seen a nasty Windows desktop a bunch of spyware and junk installed. Systems where there is no option but to format and reinstall, but then think how many times have you seen a non Windows desktops, sure there are a few mac floating about but not that many. It's not surprising that most desktop malware targets Windows. Just like most SSH password brute forcing worms target Linux, because there are more Linux servers with SSH exposed on the net.</p>
<p>I think in most situations picking the most secure software ends up being a gut feeling thing or at best an informed guess, but there are some objective measures out there if you look for them.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:linux-windows">
<p>While Debian GNU Linux is my preferred operating system I don't necessarily think it's more secure. This is just an example of things I've heard people say. <a class="footnote-backref" href="#fnref:linux-windows" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:mac-virus">
<p>Of course all operating systems more complex that an calculator can get viruses. Macs have bash, you could run <code>:(){ :|:& };:</code> that's <a href="https://en.wikipedia.org/wiki/Fork_bomb">self replicating code</a> although it won't survive a reboot <a class="footnote-backref" href="#fnref:mac-virus" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:odt-file">
<p>The vulnerability is with the HWP format, but you can give a hwp file a .odt extension and OpenOffice will still parse the file and trigger the vulnerability. <a class="footnote-backref" href="#fnref:odt-file" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:argument">
<p>I think it was about Python vs Java on <a href="http://security.stackexchange.com/">Security Stack Exchange</a> but can't seem to find the link. <a class="footnote-backref" href="#fnref:argument" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>Backup to S3 and restore to EC22015-10-01T07:00:00+08:002015-10-01T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-10-01:/backup-to-s3-and-restore-to-ec2.html<p>There is an old saying that "there are two types of sysadmins, those that do make backups and those that will make backups". Hopefully there are not too many of the second group. But backing up the data is only part of the picture, you also need to think about …</p><p>There is an old saying that "there are two types of sysadmins, those that do make backups and those that will make backups". Hopefully there are not too many of the second group. But backing up the data is only part of the picture, you also need to think about how you are going to restore it for a full disaster recovery (DR) plan.</p>
<p>Unfortunately a DR solution can be costly, our previous strategy we bought a server with enough hard disk space, RAM and CPU grunt to hold our off site backups and to spin up all our VMs to replicate our production environment in the event of a disaster. I can't remember the exact price of the server but it was in the tens of thousands of dollars plus the ongoing cost of hosting it in a data center somewhere. It cost almost as much as our production environment and sat there not doing much<sup id="fnref:not-doing-much"><a class="footnote-ref" href="#fn:not-doing-much">1</a></sup> for five years before being decommissioned.</p>
<p>Now I'm not saying it was a complete waste of money, had there been a disaster it would have been worth every cent. But for a small to medium sized organisation that's a huge upfront cost that I think can be avoided. This is where being able to purchase compute power <em>on demand</em> and <em>separate from storage</em> absolutely shines. It turns a huge capital expenditure into a small operational expenditure that is only paid in the event of a disaster (or during DR testing).</p>
<p>So when I was asked to do up the specs for our new DR server I though about using a cloud<sup id="fnref:cloud"><a class="footnote-ref" href="#fn:cloud">2</a></sup> hosting provider who could give us storage and only pay for CPU and RAM when we needed it. We looked at a few hosting providers, including <a href="http://aws.amazon.com/">Amazon</a>, <a href="https://azure.microsoft.com/en-us/">Azure</a>, <a href="https://www.binarylane.com.au/">binary lane</a> and some local providers who are not really "Cloud" vendors but would provide us storage and has spare physical machines as needed. I think any of them could have done it but in the end we settled on Amazon.</p>
<p>It saved us a huge amount of money and worked very well. So how did we do it?</p>
<p><img alt="Disaster Recovery Process" src="https://xo.tc/images/Disaster-Recovery-Process.png"></p>
<p>In this diagram we don't backup the Terminal Server, instead we treat it like a desktop machine and rebuild it.</p>
<h2>Implementation</h2>
<h3>Local Backup</h3>
<p>We use <a href="http://www.veeam.com/vm-backup-recovery-replication-software.html">Veeam Backup and Replication</a><sup id="fnref:veeam"><a class="footnote-ref" href="#fn:veeam">3</a></sup> to backup our servers to a local backup server. Nothing fancy about that except a few small caveats; disks need to be either VHD or VMDK to work with <a href="http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-ImportVolume.html">ec2-import-volumne</a> and not VHDX, VDI, etc.. also hard drives can't be over 1TB each as the import can't handle larger files. Lastly it's best to have a separate jobs for each server so if you have 5 servers, setup 5 seperate backup jobs (or even more, if you wanted you could setup one job for each disk, so a single server with 3 VHDs would have 3 backup jobs). This will create separate backup files and allow you to parallelize your restore process.</p>
<h3>Offsite Storage</h3>
<p>Then we push a copy of our backups into S3, we used <a href="http://www.veeam.com/backup-cloud-edition-licensing-faq.html">Veeam Cloud Backup</a> to push our backups off, but that got discontinued so now we are using <a href="http://www.cloudberrylab.com/enterprise-cloud-backup-software.aspx">CloudBerry Backup</a><sup id="fnref:cloudberry"><a class="footnote-ref" href="#fn:cloudberry">4</a></sup> which as far as I can tell is exactly the same product but rebadged<sup id="fnref:rebadged"><a class="footnote-ref" href="#fn:rebadged">5</a></sup>.</p>
<h3>Restore Procedures</h3>
<p>So far it's all been fairly standard but the restore is where it gets interesting. First we setup one EC2 and installed all the required software for a restore onto it; Veeam, CloudBerry Backup, and the <a href="http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ec2-cli-get-set-up.html">AWS Commandline tools</a> setup with an API key. We setup ours with a fairly small hard drive (EBS) in our case we set it to 40GB.</p>
<p>Once it's been setup and ready to do a restore we can shut it down and make a snapshot to create an <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html">Amazon Machine Image</a> (AMI). This way if we want to restore 5 servers, we can spin up 5 DR servers to start the recovery and we can attach larger hard drives to each as a scratch disk to use for the restore (you will want about twice the size of the disks you are restoring).</p>
<p>First you pull the Veeam files (.vbm, .vbk and .vib's) out of S3 onto the scratch disk with CloudBerry Backup and then import that into Veeam Backup and Replication to convert it back to a .vhd file.</p>
<p>Once you have a .vhd file you can import them into AWS, you can import bootable disks with <a href="http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-ImportInstance.html">ec2-import-instance</a> will create a new EC2 and you can import volumes with <a href="http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-ImportVolume.html">ec2-import-volumne</a> which will create a EBS (virtual hard disk) that can be attached to</p>
<div class="highlight"><pre><span></span><code>ec2-import-instance D:\Database_Severver_C.vhd -t t2.medium -f vhd -a x86_64 -b import-ebs-volumes --subnet subnet-1234567a -o <span class="nv">%AWS_ACCESS_KEY%</span> -w <span class="nv">%AWS_SECRET_KEY%</span> -p Windows -z ap-southeast-2a --region ap-southeast-2
</code></pre></div>
<div class="highlight"><pre><span></span><code>ec2-import-volume D:\Database_Severver_D.vhd -f vhd -z ap-southeast-2a -o <span class="nv">%AWS_ACCESS_KEY%</span> -w <span class="nv">%AWS_SECRET_KEY%</span> -b import-ebs-volumes --region ap-southeast-2
</code></pre></div>
<p>All in all I'm fairly happy with how it all works. We do new full backups every 3 months (run on a Friday with each server is out of step to give us the weekend to upload the new full backup) and then daily incrementals. All backups are kept in S3 and then migrated to glacier after 12 months. We only pay for the storage in S3 which is relatively cheap (It costs less per month than our data center hosting for the old server did with no upfront cost) and during our DR tests everything has come back up fairly well.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:not-doing-much">
<p>Other than the occasional DR test which where less frequent than they should have been I suspect it never peaked over 1% CPU and 5% RAM usage. <a class="footnote-backref" href="#fnref:not-doing-much" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:cloud">
<p>I usually try to avoid the word "Cloud" because I find it an ambiguous sales term but sometimes it's hard. <a class="footnote-backref" href="#fnref:cloud" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:veeam">
<p>I'm sure it would work with other backup software, although we tried <a href="http://www.storagecraft.com.au/">ShadowProtect</a> which is good but didn't work because of the way it modifies .vhd files on restore to do their "Hardware independent restore". <a class="footnote-backref" href="#fnref:veeam" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:cloudberry">
<p>Veeam gave us a free license for CloudBerry Backup when they discontinued their version. <a class="footnote-backref" href="#fnref:cloudberry" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
<li id="fn:rebadged">
<p>I suspect it may have been the otherway around, Veeam Cloud Bacup was just CloudBerry Backup that had been rebadged with the Veeam logo. <a class="footnote-backref" href="#fnref:rebadged" title="Jump back to footnote 5 in the text">↩</a></p>
</li>
</ol>
</div>The best crypto is the crypto you don't see2015-09-24T07:00:00+08:002015-09-24T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-09-24:/the-best-crypto-is-the-crypto-you-dont-see.html<p>Moxie Marlinspike, a security researcher and cryptography expert for whom I have a lot of respect published a somewhat controversial article <a href="http://thoughtcrime.org/blog/gpg-and-me/">GPG And Me</a>. Moxie says that he thinks of GPG</p>
<blockquote>
<p>"as a glorious experiment that has run its course"</p>
</blockquote>
<p>And I hate to admit it, but think he is …</p><p>Moxie Marlinspike, a security researcher and cryptography expert for whom I have a lot of respect published a somewhat controversial article <a href="http://thoughtcrime.org/blog/gpg-and-me/">GPG And Me</a>. Moxie says that he thinks of GPG</p>
<blockquote>
<p>"as a glorious experiment that has run its course"</p>
</blockquote>
<p>And I hate to admit it, but think he is right. I'd love to believe that PGP will take off in the wake of the Snowden revelations, it will become ubiquitous and built into every mail client as standard. But <a href="https://en.wikipedia.org/wiki/Pretty_Good_Privacy">PGP</a> has been around for almost 25 years now, and <a href="https://gnupg.org/download/release_notes.html">GNU Privacy Guard</a> the open source implementation has been around for almost 20 years and it has not gone mainstream. I like the way <a href="http://risky.biz/RB355">Adam Boileau from Risky Business</a><sup id="fnref:risky-biz"><a class="footnote-ref" href="#fn:risky-biz">1</a></sup> puts it "If GPG was going to solve our problems it would have by now"</p>
<p>I think the problem with PGP is that you need to make a conscious decision to use it. Any time you have to think about using a security system it's already too much work for most users. Consider HTTPS, my grandfather who will be celebrating his 90th birthday in March uses a tablet to check his online banking. The encryption part of that just does it's thing and gets out of the way, he doesn't have to know what a Private Key or a Certification Authority is he just logs in and it's all taken care of for him.</p>
<p>WhatsApp rolled out the same end to end encryption that <a href="https://whispersystems.org/blog/whatsapp/">TextSecure uses</a> and most of it's user base never even knew there was a change. Apple's iMessage provides <a href="http://blog.cryptographyengineering.com/2015/09/lets-talk-about-imessage-again.html">robust encryption</a> and again most of it's users would have no idea what a key fingerprint is or how to check theirs but their messages are encrypted.</p>
<p>Even with email now, most mail protocols now (IMAP, POP, SMTP) all run over TLS and while it might not provide full end to end encryption it provides encryption in transit. When you consider the number of people using mail providers like Gmail and Yahoo Mail, it's clear that StartTLS has a much higher adoption that PGP ever will simply because most people that are using it don't know or need to think about it.</p>
<p>Even SSH for the most part hides the cryptography away, sure the first time you connect to a server it asks you to verify the fingerprint<sup id="fnref:fingerprint"><a class="footnote-ref" href="#fn:fingerprint">2</a></sup> but after that there is almost no noticeable difference between SSH and Telnet from the end users perspective.</p>
<p>I think for any encryption product (and most security systems for that matter) to take off and go main stream it needs to be almost invisible to the users. If you think "Now is the point where I do the encryption" at any point process then it's too much work. Whether that connecting to a server with SSH, viewing a website over HTTPS, sending an encrypted text message or sending an email it should happen automatically systems should be encrypted and secure by default with no user interaction.</p>
<p>To be clear here, I don't believe that these problems exist because users don't care about security or a too lazy to use a heed security advice. There is a good paper called <a href="http://www.nspw.org/papers/2009/nspw2009-herley.pdf">So Long, And No Thanks for the Externalities</a> from the abstract:</p>
<blockquote>
<p>It is often suggested that users are hopelessly lazy and unmotivated on
security questions. They chose weak passwords, ignore security warnings, and
are oblivious to certificates errors. We argue that users' rejection of
the security advice they receive is entirely rational from an economic
perspective. The advice offers to shield them from the direct costs of
attacks, but burdens them with far greater indirect costs in the form of
effort.</p>
</blockquote>
<p>I don't necessarily agree with everything in that paper, but I do think that it raise a good point. <em>We as an industry need to make security easier than insecurity</em>.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:risky-biz">
<p>Episode 355 at 14:00, the section on the post begins at 13:05 <a class="footnote-backref" href="#fnref:risky-biz" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:fingerprint">
<p>I suspect that most people just blindly accept the fingerprint without checking. But even if it is blindly accepted (and possibly the fingerprints could be accepted automatically and hidden away unless users specifically ask for them) that doesn't mean it's useless. It can still provide a warnings like <a href="http://tack.io/">public key pinning</a>, that way it doesn't stop a man in the middle attack but it means that to go undetected attackers need man in the middle the first connection, and every subsequent connection, with the same key. <a class="footnote-backref" href="#fnref:fingerprint" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Is antivirus dead yet?2015-09-17T07:00:00+08:002015-09-17T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-09-17:/is-antivirus-dead-yet.html<p>For a long time I've felt that the usefulness of antivirus has been declining and I'm starting to wonder when it will finally die out, or more likely be absorbed into other security products and cease to exist as a standalone product.</p>
<p>Looking at enterprise (and completely ignoring home users …</p><p>For a long time I've felt that the usefulness of antivirus has been declining and I'm starting to wonder when it will finally die out, or more likely be absorbed into other security products and cease to exist as a standalone product.</p>
<p>Looking at enterprise (and completely ignoring home users for the moment) I think antivirus has past it's prime and is effectivly useless. Black listing software with a list of signatures<sup id="fnref:Heuristics"><a class="footnote-ref" href="#fn:Heuristics">1</a></sup> of known bad software simply doesn't scale. When I read through <a href="https://www.nostarch.com/metasploit">Metasploit - The Penetration Tester's Guide</a> Chapter 7: Avoiding Detection coverd the use of packers such as <a href="https://en.wikipedia.org/wiki/UPX">UPX</a>.</p>
<blockquote>
<p>Packers are tools that compress an executable and combine it with decompression
code. When this new executable is run, the decompression code
re-creates the original executable from the compressed code before executing
it. This usually happens transparently so the compressed executable can
be used in exactly the same way as the original. The result of the packing process
is a smaller executable that retains all the functionality of the original.
As with msfencode, packers change the structure of an executable. However,
unlike the msfencode encoding process, which often increases the size of
an executable, a carefully chosen packer will use various algorithms to both
compress and encrypt an executable. Next, we use the popular UPX packer
with Back|Track to compress and encode our payload3.exe payload in attempt
to evade antivirus software detection.</p>
</blockquote>
<p>UPX was first release in 1998 and repacking software to avoid anitvirus detection has become even more mainstream now. In 2009 Brian Krebs wrote a great article about <a href="http://www.krebsonsecurity.com/2009/12/virus-scanners-for-virus-authors/">virus scanners for virus authors</a>, sites where you can submit your files and check to make sure they don't get detected by any antivirus products.</p>
<p>Malware like <a href="https://en.wikipedia.org/wiki/CryptoLocker">CryptoLocker</a> is packaged before it's sent out in spam emails. Often in addition to packaging it's also either zipped with a password that's provided in the body of the email or it's a link with to a page with a captcha to defeat email scanning from picking it up. I was at a security forum recently and people were discussing their experiences with CryptoLocker<sup id="fnref:CryptoLocker"><a class="footnote-ref" href="#fn:CryptoLocker">2</a></sup> and everyone said that their fully patched and up to date desktop antiviurs (from a wide variety of vendors) had missed it, but that within 24 to 48 hours had signatures.</p>
<p>24 hours to add signatures is incredibly fast, but clearly it's not fast enough. Updating signatures can never be fast enough, conceivably malware authors could uniquely package every single file they send out.</p>
<p>Within an enterprise there are much better ways to deal with malware. I believe application whitelisting, patching software and reducing user permissions is far more effective than antivirus can ever be. Antivirus has been bumped down the chain of the <a href="http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm">ASD top 35</a> to number 22. With the top 4 being Application whitelisting, Patch applications, Patch operating system vulnerabilities and Restrict administrative privileges.</p>
<p>There was a great paper <a href="https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf">Comparing Expert and Non-Expert Security Practices</a> which showed that the top thing security experts did to stay safe was update their system while the top thing non-experts did was run antivirus.</p>
<p><img alt="Expert and Non-Expert Security Practices" src="https://xo.tc/images/Expert-and-Non-Expert-Security-Practices.png"></p>
<p>I don't know any Linux or Mac users that run antivirus and I know a few Windows users who don't run antivirus (they also don't run Java, Flash Player, Silverlight or other browser plugins and they keep their systems up to date.)</p>
<p>Maybe in a home environment where the users need administrative access<sup id="fnref:administrative-access"><a class="footnote-ref" href="#fn:administrative-access">3</a></sup> to install new programs and updates, where whitelisting and removing privileges is not an option something like antivirus to say "Are you sure you want to run trojan.exe?" might still be useful. But in the enterprise I think its days are numbered.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:Heuristics">
<p>This includes antivirs that uses heuristics <a class="footnote-backref" href="#fnref:Heuristics" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:CryptoLocker">
<p>Fortunately everyones experience could be summed up more or less as "reimage the desktop, restore any encrypted files on network shares from the backups, get on with your day" <a class="footnote-backref" href="#fnref:CryptoLocker" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:administrative-access">
<p>They don't need to run as an administrator but they need access to do things as administrator, I don't run as root but I have sudo. <a class="footnote-backref" href="#fnref:administrative-access" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Changing SSH from port 222015-09-10T07:00:00+08:002015-09-10T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-09-10:/changing-ssh-from-port-22.html<p>Changing the SSH service to run a port other than 22 is fairly common security practice but I don't like it. The problem is that I find it really hard to argue against doing it, because it <em>works</em>.</p>
<p>What ever else I might say in this post it doesn't change …</p><p>Changing the SSH service to run a port other than 22 is fairly common security practice but I don't like it. The problem is that I find it really hard to argue against doing it, because it <em>works</em>.</p>
<p>What ever else I might say in this post it doesn't change the fact that changing SSH to another port <em>works</em>. That is to say that it's an effective way to stop <code>/var/log/auth.log</code> from filling up with spam making it hard to find important logs. Also for the most part it thwarts the run of the mill bruteforcing worms / botnets from hammering on your server which (assuming you have password auth) might eventually get lucky. Just as an example as I write this I went to look at the logs for the server hosting <a href="https://xo.tc/">xo.tc</a> for the last 24 hours, and counted over 50 distinct IP addresses that have tried to brute force their way in before I gave up and stopped counting.</p>
<p>But despite the fact that it's easy to implement and effective, something about it just feels wrong to me. I think the main reason is that I'm a huge fan of <a href="https://en.wikipedia.org/wiki/Kerckhoffs's_principle">Kerckhoffs's principle</a> the idea that everything about a system, except the key, is public knowledge. SSH is a perfect example of that, you can view the entire source code for <a href="http://www.openssh.com/">OpenSSH</a>. I could publish my <code>sshd_config</code> and my <code>authorized_keys</code> (or if I had enabled password authentication my <code>/etc/shadow</code> file<sup id="fnref:brute-force"><a class="footnote-ref" href="#fn:brute-force">1</a></sup>). You can study every detail of how SSH works, and still not be able to access my server without my key<sup id="fnref:zero-day"><a class="footnote-ref" href="#fn:zero-day">2</a></sup>.</p>
<p>I feel like you should assume that attackers will know which port you are running SSH on. Assuming it is unknown could lead people into a false sense of security, I haven't seen this but I could easily imagine someone thinking "I don't need a strong password on my server because they will never guess my SSH port".</p>
<p>The other reason I don't like changing the port is that I do like things to stick to the standards, it make it easier for everyone. If you're administering an outbound firewall and you see that outbound connections to a particular IP address on port 22 are allowed, it's fairly safe to assume that it's SSH, and not someone who has decided it would be fun to run their HTTP web server on a funny port. But if you see connections allowed on port 4489, that could be anything.</p>
<p>There are other ways to achieve more or less the same results as changing your SSH port and increase security. For example if you know the addresses you will be SSHing in from, you can simply firewall off all other addresses, job done. While it's much more affective to have a whitelist than a blacklist, if you're not sure about where your connections might be coming from you can install something like <a href="http://www.fail2ban.org/wiki/index.php/Main_Page">fail2ban</a> and block any address after a few failed attempts. It doesn't totally stop the spam in your logs but it should reduce it to a manageable volume.</p>
<p>As said at the beginning of this post, changing SSH to another port <em>does</em> reduce the number of bots trying to brute force your server. But I don't like it, it just feels too much like security through obscurity to me.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:brute-force">
<p>You could run an offline brute force / dictionary attack against the hash but with a well chosen password and a good hash like PBKDF2 this should still be secure. <a class="footnote-backref" href="#fnref:brute-force" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:zero-day">
<p>I'm assuming here that you don't have some sort of 0-day against the OpenSSH implementation of SSH or other software that I'm running on the server. Obviously there will be flaws in software but that's a diffrent issue. <a class="footnote-backref" href="#fnref:zero-day" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Liars & Outliers2015-09-03T07:00:00+08:002015-09-03T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-09-03:/liars-outliers.html<p>I read <a href="https://www.schneier.com/books/liars_and_outliers/">Liars & Outliers</a> in September 2012 however I've only just decided to review it now in September 2015 so this review could be seen as "Which points had enough impact that they stuck with me for 3 years?". There might be some mistakes in this review from my hazy …</p><p>I read <a href="https://www.schneier.com/books/liars_and_outliers/">Liars & Outliers</a> in September 2012 however I've only just decided to review it now in September 2015 so this review could be seen as "Which points had enough impact that they stuck with me for 3 years?". There might be some mistakes in this review from my hazy memory but I've got my copy with me to thumb through so I should be able to check it.</p>
<p>It was the first of Bruce Schneier's books that I'd read and one of the things that struck me about his writing style was the number of references and foot notes he made<sup id="fnref:foot-note"><a class="footnote-ref" href="#fn:foot-note">1</a></sup>. Of the 368 pages in the book 250 are the main content and the other 118 are references and foot notes. You are left with the impression that Bruce is not just imparting his views of the world, but has solid well researched scientific evidence to back them up.</p>
<p>It centres around the question of how we have managed to achieve trust in our society and focus on the idea of four key "societal pressures" that we impose on people to create trust.</p>
<ul>
<li><strong>Moral Pressures</strong> - Ethics, Doing the right thing because it's right, generally more of an individual thing but can be applied to organisations too.</li>
<li><strong>Reputational Pressures</strong> - If people know you are a crook they won't work with you, if your organisation has a reputation for not honoring warranties people won't buy your products.</li>
<li><strong>Institutional Pressures</strong> - Laws, taxes, regulations these scale up very well but are harder to enforce on an individual level.</li>
<li><strong>Security Systems</strong> - What most people think about as more traditional security, things like firewalls and padlocks. Designed to prevent people from being able to do the wrong thing even if they want to.</li>
</ul>
<p>I think this graph taken from page 71 neatly sums up how different societal pressures scale from small communities of just a few people to global communities.</p>
<p><img alt="societal pressures" src="https://xo.tc/images/societal-pressures.jpg"></p>
<p>I think it's very useful for security professionals (and executives) to understand that "Security Systems" is not the only way to prevent unwanted behavior, and often not the most effective.</p>
<p>A classic example of when another type of pressure is more appropriate and often more effective is web filtering. I've seen schools that have a proxy serve scanning all images<sup id="fnref:proxy"><a class="footnote-ref" href="#fn:proxy">3</a></sup> running some sort of image recognition technology over them trying to find and block pornographic content. Needless to say it didn't work well, with photos of <a href="https://en.wikipedia.org/wiki/Patrick_Stewart">Patric Stewart</a> tripping the sensors because they had "too much smooth skin tone".</p>
<p>Another area that it comes up that we really don't like to talk about as systems administrators is ensuring that people with root access do the right thing. While it is possible to design a system such that even the systems administrators don't have access to sensitive content it's incredibly hard<sup id="fnref:leaks"><a class="footnote-ref" href="#fn:leaks">4</a></sup>. I most organisations the administrator have unrestricted and uncheked assess. They are not restricted by the fourth pressure "Security Systems" but most sysadmins still do the right thing because of Moral, Reputational and Institutional pressure.</p>
<p>That is not to say that we shouldn't try to design systems that force the administrators to to the right thing but that it's naive to think that people are only doing the right thing because security systems force them to.</p>
<p>Imagen saying to an auditor "Well, most sysadmins could snoop on employee email but they don't because it's morally wrong, and they know that if they got caught they <em>might</em> lose their job or face legal issue but they would <em>definitely</em> lose the respect of their colleagues" it doesn't sound very good but for many organistions it's true, and for many organisations it's enough of a deterrent.</p>
<p>While saying something like "We log all access to email and check it on a monthly basis and require two admins to authenticate before giving access to another users account." now that sounds great! If you can achieve a system like that brilliant, but it doesn't often work out like that in reality.</p>
<p>I think it's wise to pay attention to these situations and know where you are not protected by a security system. Have a think about your organisation and where people have access but are using it responsibly.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:foot-note">
<p>Maybe this struck a cord with me because I like foot notes<sup id="fnref:foot-note-foot-note"><a class="footnote-ref" href="#fn:foot-note-foot-note">2</a></sup>. <a class="footnote-backref" href="#fnref:foot-note" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:foot-note-foot-note">
<p>I mean I like them so much I recursively put foot notes in my foot notes about how much I like foot notes. <a class="footnote-backref" href="#fnref:foot-note-foot-note" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:proxy">
<p>And breaking HTTPS in the process by putting a local CA cert onto all the computers and Man-in-the-Middleing the connection. <a class="footnote-backref" href="#fnref:proxy" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:leaks">
<p>As we have seen from the Snowden and Manning leaks even the NSA / Army struggles with this. Snowdn and Manning had access to thousands of sensitive documents and were able to hoover them up without tripping alarms. <a class="footnote-backref" href="#fnref:leaks" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>Is bad crypto better than no crypto?2015-08-27T07:00:00+08:002015-08-27T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-08-27:/is-bad-crypto-better-than-no-crypto.html<p>I've been reading through <a href="https://bettercrypto.org/">bettercrypto.org</a>'s <a href="https://bettercrypto.org/static/applied-crypto-hardening.pdf">Applied Crypto Hardening</a> and really enjoying it. They take a refreshingly practical approach to cryptography books. I've done a couple of cryptography courses, and read <a href="http://www.crypto-textbook.com/">Understanding Cryptography</a> cover to cover, which had great video lectures and problem sets to solve. Actually I started …</p><p>I've been reading through <a href="https://bettercrypto.org/">bettercrypto.org</a>'s <a href="https://bettercrypto.org/static/applied-crypto-hardening.pdf">Applied Crypto Hardening</a> and really enjoying it. They take a refreshingly practical approach to cryptography books. I've done a couple of cryptography courses, and read <a href="http://www.crypto-textbook.com/">Understanding Cryptography</a> cover to cover, which had great video lectures and problem sets to solve. Actually I started watching the <a href="https://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg/videos">videos</a> first and they were so good I bought the book. </p>
<p>All the course and books I've come accross go out of their way to be vendor neutral, which I think is a great thing. Not using specific software or versions in the books an courses means that they age well. However it also means they lack practical content and at the end of the course I feel I have a solid understanding of how the cryptography works, but haven't learnt how to configure OpenSSL for Apache, nginx and postfix or setup SSH with keys rather than passwords.</p>
<p>Applied Crypto Hardening on the other hand doesn't cover the theory but goes straight to the practical. It squarely targets sysadmins. It provides simple configs that can easily be copied and pasted. Eben Upton has a great <a href="https://youtu.be/kj91taKHlmM?t=1m10s">anecdote</a> of when he got his first computer and bought a mouse but didn't know how to get it working. So his dad phoned tech support for him and they said "If your son can't write his own mouse driver, then he does not deserve a mouse." Now days it's almost inconceivable that someone would write a mouse driver, or even know what a driver is before they start using a mouse. The point is that people don't need to know all the internals of how something works to use it. It's not a perfect example I know, but I don't fully understand how all the internals of my microwave oven work, but I can still cook with it. Most sysadmins don't need to fully understand how all the internals of cryptography work but can still enable TLS to secure their users.</p>
<p>When I got to Applied Crypto Hardening's settings for postfix I saw they supported some weak ciphers but it was prefaced by a <a href="https://github.com/BetterCrypto/Applied-Crypto-Hardening/blob/afb7ead4d1b5d7937c6e6e81e33cefc4591c3df1/src/practical_settings/mailserver.tex#L183-L185">bit</a> that says:</p>
<blockquote>
<p>...However, we leave this at its default value for server to server connections, as many mail servers only support outdated protocols and ciphers. We consider bad encryption still better than plain text transmission. </p>
</blockquote>
<p>While I agree with their decision it's an interesting view and worthy of debate.</p>
<p>The examples of where bad crypto is better than no crypto I would think should be fairly clear. Take for example if email was transmitted using a single round of <a href="https://en.wikipedia.org/wiki/Data_Encryption_Standard">DES</a>, it's clearly broken. I haven't kept up to date with factoring speeds and hardware needed to crack DES. The last time I looked at cracking DES was around 2012 when Moxie Marlinspike did some <a href="https://www.youtube.com/watch?v=sIidzPntdCM">truly amazing research into breaking MS-CHAPv2</a> and part of that involved breaking a single round of DES which took a <a href="https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/">worst case of ~23 hours</a> so I think it's fair to assume that in 2015 someone with a few hundred bucks and 24 hours on Amazon Web Services could brake it. If I was given a choice where someone could either read all my emails whenever they like, or read all my emails but it would cost them $100 per email and take 24 hours before they could read it I'd choose the second option every time.</p>
<p>The counter example that is that weak crypto has the potential to lull people into a false sense of security. Take the MS-CHAPv2 example from before, many people were using and are still using PPTP VPNs with MS-CHAPv2 to connect to their work because it's the default in many Microsoft Products. It's easy to use and integrates nicely with Active Directory. They believe they have a secure connection to their work but they are putting themselves at risk every time they use it. If they were to use it at a coffee shop or on McDonald's free WiFi for example someone malicious could not only break their encryption but recover their username and password<sup id="fnref:PPTP-password-recovery"><a class="footnote-ref" href="#fn:PPTP-password-recovery">1</a></sup> and connect in with their credentials to start rifling through confidential documents. </p>
<p>I'm aware that the text says "better than <strong>plain text transmission.</strong>" but another option that I think is worth discussing is failing loudly. A good example of this is after the <a href="https://en.wikipedia.org/wiki/POODLE">POODLE</a> attack came out many websites disabled SSL 3.0 and if you try to visit those sites using something like Internet Explorer 6 you just get a message that the site could not be loaded. Rather that just silently downgrade to weaker encryption, because bad encryption still better than plain text, some sites simply don't work at all with weak crypto. If people want to use that service they need to use a modern browser. It's possible to set postfix to only accept TLS connections and no plain text email. Imagine if users got a bounce back saying that the email can't be delivered because their server doesn't support secure email. I'd like to think that that would get some questions asked and some systems upgraded<sup id="fnref:email-bounce"><a class="footnote-ref" href="#fn:email-bounce">2</a></sup>.</p>
<p>Over all I think they made the right choice, I think that we are unlikely to be able to change all mail server to modern encryption. In most cases it's better to downgrade to weak ciphers than to downgrade to none, and punishing the users of an outdated system by not accepting their mail at all is not really the right way to go about things. I'm a follower of the <a href="https://en.wikipedia.org/wiki/Robustness_principle">Robustness Principle</a> </p>
<blockquote>
<p>Be conservative in what you do, be liberal in what you accept from others</p>
</blockquote>
<p>It should also be noted that the Applied Crypto Hardening settings for postfix do enforce high grade crypto for when you own both ends (i.e. internal mail servers, and clients connecting to the server)</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:PPTP-password-recovery">
<p>The attack doesn't directly recover the password, it recovers an MD4 hash of the password, which is all that's needed to connect to a PPTP VPN or that could be used in an off line dictionary attack. <a class="footnote-backref" href="#fnref:PPTP-password-recovery" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:email-bounce">
<p>Although the cynic in me who has seen that most users don't even read enough to see the difference between can't be delivered because it's too large and address doesn't exist is not so sure. <a class="footnote-backref" href="#fnref:email-bounce" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Password Strength2015-08-20T07:00:00+08:002015-08-20T07:00:00+08:00Michael Van Delfttag:xo.tc,2015-08-20:/password-strength.html<h1>How to reason about password strength</h1>
<p>This is an issue I see come up a lot, it's discussed on <a href="http://security.stackexchange.com/">Security Stack Exchange</a> all the time. It came up on the <a href="https://www.sage-au.org.au/">Sage-AU mailing lists</a> recently. But every time I see this discussion come up there are misunderstandings, mistakes or people talking …</p><h1>How to reason about password strength</h1>
<p>This is an issue I see come up a lot, it's discussed on <a href="http://security.stackexchange.com/">Security Stack Exchange</a> all the time. It came up on the <a href="https://www.sage-au.org.au/">Sage-AU mailing lists</a> recently. But every time I see this discussion come up there are misunderstandings, mistakes or people talking at cross purposes so I wanted to write up a set of principles or assumptions that we can use when discussing passwords that will hopefully make it easier to have a conversation about password strength.</p>
<p>These are some thoughts on how I think strength should be measured, none of them are set in stone and I could be persuaded to change my views on any of these points by reason and logical argument.</p>
<h2>Assume the algorithm to generate the password is known.</h2>
<p>This is basically <a href="https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle">Kerckhoffs's principle</a> "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." only applied to passwords.</p>
<p>I often see people saying things like "If I repeat my password twice, will it increase the strength?" or "If I add a non-ascii character..." and "what if I sha1 my weak password then use the output as a password". The response usually comes back along the lines of "Well, maybe, kinda, yeah but not really" with people saying "Now crackers know you do that, they will just adjust their method".</p>
<p>The problem is that people get caught in the trap of thinking too much about what the attackers currently doing. That ends up in an infinite cat and mouse game that no one can win. Crackers are using dictionaries so people add a number to the end of the word. Then crackers start adding numbers to the end of their dictionaries so we add special character and crackers add special characters too. Rinse and repeat.</p>
<p>I've seen people say things like "Now crackers will <a href="https://xkcd.com/936/">generate four random words</a> when they attack so the xkcd system is broken" but they are missing the point. The comic assumes (in both cases) that crackers know exactly how the password was generated. If you have a list (a public list) of 2048 common, easy to type, lowercase words, and pick 4 at random (truly random, use a computer) that's 2048^4 options or 44-bits of entropy. You can give that advice to anyone, everyone in the world could use that method, it could be the only method of generating passwords, and the only one crackers target, and it would still give 44-bits of entropy every time.</p>
<p>It makes it much easier to calculate and compare methods of generating passwords if we only look at the entropy.</p>
<h2>Assume the whole password needs to be guessed at once.</h2>
<p>In general if password are stored well using something like PBKDF2 (or even if they are not stored well, using something like md5) you need to guess the whole password at once. For example if I use a password like "correct battery horse staple" if the passwords are hashed, a cracker can't work out that the first word is "correct" and then start working on the second word.</p>
<p>There are some situations where this assumption dose not hold. For example when the <a href="http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/">Adobe database</a> was leaked, the passwords were encrypted with triple-DES ECB in <a href="https://crypto.stackexchange.com/questions/11456/">8 byte blocks</a>. So passwords could be "cracked" 8 bytes at a time.</p>
<p>If you are talking about a situation where an attacker can break passwords a bit at a time you should explicitly say otherwise it should be assumed that the whole password needs to be guessed at once.</p>
<p>I think many people already make this assumption which may have been the reason why there was so much debate around the <a href="https://telepathwords.research.microsoft.com/">Telepathwords</a></p>
<h2>Measure algorithm strength in bits.</h2>
<p>Often people people discuss the strength of their algorithm using a calculation based on how it works. For example if someone is talking about a key space of 8 lower case letters they might say 26^8. Someone else might be talking four random words from a list of 2000 common words so they might say 2000^4 or 1:16000000000000 if they want to make it seem larger. While another might be using scientific notation and to describe a 13-character base64 password 64^13 as 3.02231e+23. I use <code>dd if=/dev/random count=18 bs=1 2>/dev/null | base64</code> for passwords and I call it 144-bits because to me, I could output it to base32 or hex or some other arbitrary encoding, so it could be 64^24 or 16^36 depending on how I output it.</p>
<ul>
<li>16^36</li>
<li>64^24</li>
<li>1:22300745198530623141535718272648361505980416</li>
<li>2.2300745e+43</li>
<li>144-bits</li>
</ul>
<p>are all valid ways of talking about password strength but it's a bit like talking about the temperature in celsius, fahrenheit and kelvin. You can convert between them but it's hard to eyeball them and instantly see which is bigger.</p>
<p>So why bits? I could be persuaded to change my mind on all of these points, but this one more so. I do think it's helpful to use a consistent system to measure strength, but don't feel that strongly about bits. There some points in favor of bits over other systems but really a lot of it comes down to "I like bit, it feels intuitively right to me". Some points in favor of bits are:</p>
<ul>
<li>
<p>There is some president for it, cryptographic systems traditionally measure key space in bits, systems like KeePass show a password quality meter in bits.</p>
</li>
<li>
<p>It makes it easy to add up entropy form different sources, for example in the <a href="https://xkcd.com/936/">xkcd comic</a> the first letter 'T' it's got one bit for common caps. That's pretty easy to follow it could be a 't' or 'T' so it's one bit. Or where there is punctuation at the end it's got 4 bits, that could be one of 16 common punctuation character, so we add 4 bits. Work out all the places there are entropy and add them together.</p>
</li>
<li>
<p>It keeps the numbers low, generally < 300 which is nicer than working with unwieldy numbers with lots of zeros or decimal places.</p>
</li>
</ul>
<h2>Don't measure the strength of an individual password measure the algorithm.</h2>
<p>When I generate a password I use <code>dd if=/dev/random count=18 bs=1 2>/dev/null | base64</code> but this has exactly the same odds of producing <code>AAAAAAAAAAAAAAAAAAAAAAAA</code> as it dose producing <code>k7pwVtt3XzJlVmijr09lrTbO</code> someone could use their dog's name as a password, but the dog could be some 30 character Inuit word that's not in any dictionary.</p>
<p>Put simply one password is simply not a large enough sample size. Instead you need to look at what is the "key space" or how large is the pool of password that this one came from.</p>
<h2>Security of a Password Vs Strength of a Password.</h2>
<p>I'm going to try to define some terms here, I'm going to say the <em>security</em> of a password is how well it dose it's job (preventing unauthorized access to something) and that the <em>strenght</em> of a password is how hard it is to guess.</p>
<p>A practical example of this is with storage of passwords. It's an important issue and deserves a lot of attention as it can affect the <em>security</em> of a password but not the <em>strength</em>. There are two places a password needs to be "stored" (and I use that term loosely because I can't think of a better word than "stored"), the <em>user</em> and the <em>service</em> both need to store the password. How they are stored is important, depending on how they are going to be stored it might change how they should be generated, and how strong the need to be.</p>
<p>A password is likely to take ~900 CPU days to crack on modern hardware might be good enough but to encrypt a document which is embargoed for 7 days but might not be good enough for the Snowden documents.</p>
<p><strong>The User</strong>
The user needs a to "store" their password somewhere, this could be in their head, in a password safe like KeePass or Lastpass, or on a post-it note under their keyboard.</p>
<p>This will change how you want to generate your passwords I'm a huge believer in <a href="https://security.stackexchange.com/questions/6095/#6116">AviD's Rule of Usability</a> "Security at the expense of usability comes at the expense of security." An xkcd style one is going to be easier to remember while a base64 password will be shorter and easy to store in KeePass.</p>
<p>While it is possible to not know any of your passwords (you can store them all in a password safe and use a YubiKey to open the safe) in most real world, practical situation your going to want at lease a few passwords that you can remember.</p>
<p>As above if users write their password down on a post-it, it affects their <em>security</em> but doesn't fundamentally change the <em>strength</em> in terms of bits of entropy.</p>
<p><strong>The Service</strong>
People could write (and probably have written) entire books on password storage on the server side so I'm not going to dig into that here, although for most situations it usually boils down to "stick to the standards, use something like PBKDF2."</p>
<p>How the service stores the password will also affect how you generate passwords, maybe it's a service that's limited to 16 characters (looking at you Microsoft) <img alt="Microsoft Live Account sign up form" src="https://xo.tc/images/microsoft_live_sign_up_form.png"> so you want to jam as much entropy into those 16 characters as you can.</p>
<p>Again if a service stores passwords in plain text, it affects <em>security</em> but doesn't fundamentally change the <em>strength</em> in terms of bits of entropy.</p>