Saturday, December 28, 2013

Samsung Galaxy S4 Upgrade

OK, I won't moan about the NSA and GCHQ snooping overreach anymore - just secure everything you do to keep them and any other computer criminals out of your systems...

One way to improve security, is to install a proper GNU/Linux Android system on your stock smart phone.  To do that, you need to have super user (The Linux administrator account is known as the root user) access.  The process is generally described as rooting your phone.

By default, most phone manufacturers disable root access, since they do not want to be faced with a support nightmare due to millions of clueless users messing up their phones.

Once you have root access, you can install different software applications and delete the crud applications that the phone comes with.

There are various ways to get root access - you can do a minimal thing and only create a root account and install one or two basic utilities for root access, or you can completely replace the half baked Linux kernel that you get with your phone with a proper one that already has everything set up - this is much easier - but may not work in your region.

This guide is for the delightful little Samsung Galaxy S4 Mini GT-I9192. For other phones, you could use the links below to start the hunt for the correct versions of software.  Don't use the code linked below for a different phone model.

Get a Samsung Update

The first thing to do, is to get the latest Android build from Samsung, so that you can roll the phone back when you mess it up - not if, when...

Some friendly folks keep them here:
http://samsung-updates.com/device/?id=GT-I9192

For example KSA-I9192XXUAMH3-20131101105408.zip, which is the Saudi version sold in the middle east.

Some unfriendly folks keep trying to shut this archive down for no good reason, so you may have to root around on the net to find it again if it would disappear.


Make a Windows XP Virtual Machine

Get Oracle Virtualbox from https://www.virtualbox.org/wiki/Downloads and an old Windows XP install disk image.  I happen to own about a dozen copies of XP, so I have enough to last me till the next century.  Newer versions of Windows are ridiculously slow and XP works fine on a VM.

Once you installed it and also installed Guest Additions, make a tar backup of the whole thing so that you never have to install it again when it gets messed up with crudware - just untar a fresh VM from backup.

All of this works purrfectly fine on my Mac Pro.

Get the USB Driver

You also need the USB device drivers for the phone.  These are contained in a terrible buggy and unusable program by Samsung called Kies, which you can get here:
http://www.samsung.com/ae/support/usefulsoftware/KIES/JSP

The program looks nice, but it tends to crash as soon as you try to do anything serious with it, which of course can be a disaster if it would do so while downloading code to the phone.  I think it is written with Microsoft dotNet, which would explain it all.

You have to download and install the whole catastrophe just to get the USB driver.  This is one reason why I play on a Windows XP virtual machine on Oracle Virtualbox.  I don't want to mess up a perfectly good real machine with cruft.

Get the Odin Downloader

You can get the excellent Odin downloader from the friendly folks at XDA from here:
http://www.devfiles.co/download/HfyuZUjP/ODIN_v3.07.zip

Try to find the latest version though.

Get a Full Featured Amestris Linux Kernel

You can get a real, honest to goodness Linux kernel from the friendly folks at XDA here:
http://forum.xda-developers.com/attachment.php?attachmentid=2466812&d=1387635358

This kernel was prepared by MJ Nazari - Thank you MJ!

Unzip it with 7-Zip available from the good blokes here:
http://www.7-zip.org/download.html

Download Mode - the Three Button Salute

Getting the phone into download mode is a little tricky.  First, you got to convince the darn thing to turn off.  If you press the Home button and it turns on again, then it wasn't off...
  • First turn the phone off
  • Press Home, Volume, Power at the same time
  • Then when the green screen comes up, let go and press volume up


How to get a Virtualbox Virtual Machine to see the USB connection

Virtualbox has a few funnies and if you just plug the phone in and try to connect to it, then you may get a message to the effect that the USB port is already used by someone else. To get around that, set up a USB connection Filter, so that it will connect the right way automatically.

  • Power off the Windows VM
  • Plug the phone USB cord in
  • In the Virtualbox machine Settings, select port, USB
  • Add a Filter for the Samsung phone
  • Unplug the phone again
  • Start the Windows VM
  • Log in as Administrator
  • Plug the phone in

Windows should now recognize it, but you may still not have the device driver.

Install the horrid Samsung Kies software to get the device driver.

Rooting Method 1

Install a root capable kernel

Now finally, you can run the virtual machine, log in as administrator, put the phone in Download Mode, plug the phone in, run Odin, wait for it to show a green [COM5], select the kernel in the PDA field and load the phone:
  • Download the .tar file to your computer
  • Power off your phone and hold the Volume down + Home + Power buttons simultaneously to boot into Download mode, then press Volume Up
  • Start the Virtual Machine and log in as Administrator
  • Connect the phone to your computer and wait a bit for the dust to settle in Windows
  • Run Odin, select the tar file in the PDA or AP field
  • Make sure F.Reset.Time option is unchecked
  • Click on Start and wait a while for the kernel to download and save to flash memory
  • When done, your phone will reboot by itself
Now you should be the proud owner of a Samsung phone with a proper Linux distribution on it that you can install secure software of your own choosing on and one of the new utilities on the phone should be SuperSU.

Rooting Method 2

Use Clockwork Mod (CWM)

If Method 1 above doesn't work for you, then try the CWM method described here:

The instructions in that posting are pretty clear, except for navigating the Clockworkmod application, which took some fiddling around.

The advantage of this method, is that you will still run the stock Linux kernel and other software for your region, so everything on the phone should remain working.

Firstly, if something goes wrong and you cannot get into the Recovery Boot program, simply reset Odin, redo the Download Mode 3 finger salute and download the Recovery Clockwork tar file all over again.  I had to try multiple times before I got the hang of it.  You really have to hold the phone in your left hand when clicking the Start button, such that you can click Up Volume with your left thumb and press Home with your right hand (the 2 Button Salute) as soon as the phone vibrates.

Navigate the Clockwork menus using the volume button up/down and select an entry using the Home button - go back with the soft Back button to the right of the Home button.  

You may need to search around a bit to find the zip file on the SD card.  Once you get it, click Home.  When it is done, go back up in the menus till you get to the Reboot option.  Once rebooted, you should be able to find the SuperSU application on the phone.

This method finally worked for me, on my UAE (Saudi Arabian region) phone.

Problems

When the going gets tough, the tough gets going

Half the fun is dealing with all the problems - you certainly need to have a sense of Geek adventure for this process.

If the phone gets messed up, try again, or roll back to the Samsung stock regional version downloaded above.  Provided that you start off prepared and save a stock kernel for your regional carrier, you should not have to go and buy a new phone when things go south.  Well, let's hope so anyway.

On my first try, a few days ago with a completely different rooting method, the WiFi didn't work.  On my second try as above, the Cellphone network didn't work anymore, but WiFi worked fine - sigh.  However, after I reloaded the stock Saudi Arabian kernel yet again, the device worked again, so one can always roll back to the (unrooted) Samsung stock version.  The Clockwork Mod method finally worked and got my phone rooted successfully.

Once rooted one way or another, you can go and get Cyanogenmod (http://www.cyanogenmod.org/) or ParanoidAndroid (http://forum.xda-developers.com/paranoid-android) and change the whole look and feel of your new toy and install Orbot, Orweb, Chatsecure, SSH Autotunnel, SSH/SFTP Server, Terminal Emulator and other security applications to give the NSA/GCHQ/CSE the Salmon Arm Salute (http://toronto.ctvnews.ca/one-finger-salute-crude-to-ont-film-review-bd-1.368040).


La voila!

Herman

Sunday, December 15, 2013

Écrasez l'infâme!

Now even the French is admitting to be going at it with no judicial oversight, just the same as the NSA and GCHQ and the Canadian CSE was found to misuse court orders granted for spying on citizens to allow other 5 eyes members to spy on Canadians on their behalf.

Voltaire


The mass snooping is not working, it is not catching any terrorists, it is a gigantic invasion of privacy and a colossal waste of money and resources that could be put to work more effectively. Furthermore, the whole thing is beginning to backfire.  Cisco is losing orders for switch gear, Boeing is losing plane orders to SAAB, while Blackberry was abandoned by everyone after they subverted their own security and RSA is losing disgruntled customers since they sold their soul for 10 million shekels of silver.

There is no war and no state of emergency, but the intelligence agencies are acting as if WW5 is under way.  This overreach has to stop.

What the Western Allies have now created, puts the old Catholic Church, its confessionals and inquisitions to shame.

As Voltaire so eloquently put it:  Écrasez l'infâme!

Tuesday, December 10, 2013

NSA Snoop and Error Proof Your Archives

An Englishman's Home is His Castle:

In 1760, William Pitt (the Elder) made a famous declaration of this right. "The poorest man may in his cottage bid defiance to all the force of the Crown.  It may be frail, its roof may shake, the wind may blow through it. The rain may enter. The storms may enter.  But the king of England may not enter.  All his forces dare not cross the threshold of the ruined tenement."

There is many a ruined castle in Europe.  You need to defend your castle if you want it to keep its value!

You should also consider the problem of data corruption, since any single bit error in an encrypted archive, will render the whole thing unreadable.

Also remember this: Always tar a directory, never tar a bunch of files. 

It is extremely annoying when you get an archive from someone, untar it and end up with a million files scattered throughout your home directory...


Encrypting an Archive with GPG

An easy way to secure your data against unwarranted NSA and GCHQ snoops is with gpgAlways use gpg before uploading archives to a public file server such as DropBox, Copy or Evernote.

Using pipes, you can string the tape archiver tar, bzip2 and gpg together like this:
$ tar -cj test | gpg -c >test.tar.bz2.gpg

(or use gpg -er username for key based encryption)

and to reverse it:

$ gpg -d < test.tar.bz2.gpg | tar -xj

The key configuration of GPG is shown in another post. 

 

Forward Error Correction

A good way to protect your data against corruption is with a Reed Solomon forward error correcting code - it is used on CDROMs.  There is a little known utility available that does it, called rsbep by Guido Fiala and you can get the source using this link: http://www.filewatcher.com/_/?q=rsbep

Then build it the usual way with ./configure; make; sudo make install.  It is part of the BSD and Debian distributions.

Using pipes, you can string the tape archiver tar, bzip2, rsbep and gpg together like this:

$ tar -cj test | gpg -c | rsbep >test.tar.bz2.gpg.rs

(or use gpg -er username for key based encryption)

and to reverse it:

$ rsbep -d < test.tar.bz2.gpg.rs | gpg -d | tar -xj

The Reed Solomon code will protect your archive against error bursts and will help to ensure that you can read the data back from a failing archive system, many years later.

 

Parity Bits

There is also a utility called par2 (and the handy GUI PyPar2) which adds Reed Solomon parity bits in a series of separate files.  These are in the par2cmdline and pypar2 packages.  This can be used to protect any files, but when you copy things around, you got to remember to pass the parity data along too.

Preventive Measures Using Par2

In order to ensure that I get into and stay in the habit of using gpg, I created a couple of scripts, so I can simply do:

$ targpg directory
and
$ untargpg directory

and the scripts will handle the messy details.

I tested the error recovery by corrupting the archive with hexedit - it works like magic!

Make an archive script like this called /usr/local/bin/targpg:
#! /bin/bash
echo Make an encrypted archive of a directory
tar -cj "$1" | gpg -c >"$1.tar.bz2.gpg"
md5sum "$1.tar.bz2.gpg" > " $1.tar.bz2.gpg.md5"
parcreate -n1 "$1.tar.bz2.gpg"
ls -al "$1"*


as well as untargpg:
#! /bin/bash
echo Untar a GPG encrypted archive $1
RESULT=$(md5sum -c "$1.tar.bz2.gpg.md5")

if [ "$RESULT" != "$1.tar.bz2.gpg: OK" ]
then
  echo MD5 error - Attempt a repair
  par2repair $1.tar.bz2.gpg.par2
fi

# Try to decrypt and untar regardless   
# because the md5 and par2 files may be missing
gpg -d < "$1.tar.bz2.gpg" | tar -xj
ls -al "$1"*
 


and then one day when your disk goes south, par2repair may save the day.

La voila!

Wednesday, November 27, 2013

Netcat Relays

Netcat is a fantastic tool for tying networked devices together in the spirit of DucTape,  baling wire and twine...

How it Works

Netcat connects a network socket to stdin and stdout.  To initiate a connection, it can act either as a listener or a client.  Once connected, it will simply shovel data back and forth.  That is all.  

What you do with it is totally up to your imagination.

Here is a netcat based Double Listener Relay:

mkfifo /tmp/buf
nc –l 5566 <buf | nc -l 6655 >buf

It uses two instances of netcat, tied together through stdin and stdout, with the help of a fifo.  One could make such a relay on a public addressable server where anyone can connect to it.

The first netcat listens on port 5566 and gets its std input from the fifo buf and sends its std output to the std input of another netcat instance through a pipe operator.  The second netcat listens on port 6655, gets its std input from the previous netcat and sends its std output to the fifo buf, which effectively loops it back to the first netcat.

Two clients that may be behind firewalls can connect to each other via this relay:
nc relayipaddress 5566
nc relayipaddress 6655

and they can then communicate with each other despite the intervening firewalls.

Note that the latest and greatest version of netcat from the Nmap project called ncat has this kind of relay feature built in as the --broker option, but doing it as above with the original netcat is much more fun and illustrates stdio redirection and FIFOs.

In the Spirit of the NSA Scandal, here is a Spying Relay:

mkfifo /tmp/buf
nc –l 5566 <buf | nc -l 6655 | tee buf

The tee program will send the data to the fifo and also to the terminal, so that you can see what is going through the relay, in order to debug something.

Keeping netcat Running

When a connection is terminated, the netcat lister will usually also exit.  Some versions of netcat has a 'keep' or -k operand which can be used together with the -l option to keep it running and listen for the next user.

Another way to keep a listener going is to stuff netcat inside an endless loop:
while true; do nc -l 5566 </dev/ttyUSB0 >/dev/ttyUSB0; sleep 1; done &

Also put a sleep 1 command in the loop to slow it down in case of an error, so that it won't spin at high speed and consume all processing resources.

Perfect Insecurity

Of course, running a relay of any kind on a public machine is a HUGE security problem, so don't leave it running for too long or an angry IT Admin may want to hit you upside the head with a clue by four...

Thursday, November 21, 2013

GPG Keys and Password Management


Preface

GPG has a good encryption algorithm, but terrible key management and no forward security.   If your private key is compromised, then all your old data can be read.  For most people, it is simply unworkable due to the key exchange problems.

I recommend that everyone switch to Signal and WhatsApp for secure messaging and phone calls and when you suspect that something is wrong - your system/keys were compromised, simply create a new account. 

For your passwords, I recommend that you use KeepassX to generate and save unique passwords for all your internet, financial and computer accounts - do not re-use passwords on different services.

Scope

For the real card carrying geek masochists out there, this document briefly explains how to set up GPG with public and private keys, publish your public key to a key server and then configure ‘pass’ the standard Unix password manager.

With 'pass', you can easily generate long passwords, save them using GPG encryption and easily retrieve a password to the clipboard, so that you can paste it into a login dialog.

The advantage of 'pass' over other password managers, is that it is super simple - a Bash script.  Passwords are saved in GPG files, so you can use standard utilities to manage, save and copy your passwords, without being beholden to a 3rd party application.

'Pass' is so simple, that you can run it on any kind of UNIX, including Linux and Apple Mac machines.   The database is encrypted, so it can be safely kept on Dropbox or other free FTP service.  However, it is clunky, so you need to love the command line to like this one!

Another popular alternative is KeepassX, which is compatible with Keepass on Windows. Likewise, you can save the database on Dropbox to make it available on all your devices.  It doesn't need any explanation, since it has a GUI. For those worried about Keepass, see this: http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2010_07.html

That still leaves the initial laptop computer full disk encryption and login passwords which you need before the password manager is running - write those on a piece of paper and keep it in your wallet!

gpg --gen-key

These options are good:
  • RSA and RSA
  • 2048
  • 3y
  • Herman Oosthuysen
  • herman@aeronetworks.ca
  • Don’tForgetYourVeryLongPassPhrase (and save it in KeepassX)

Example:
[herman@f16 ~]$ gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
        0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Sun 20 Nov 2016 09:27:47 AM GST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
   "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Herman Oosthuysen
Email address: herman@aeronetworks.ca
Comment:
You selected this USER-ID:
   "Herman Oosthuysen <herman@aeronetworks.ca>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 90 more bytes)
.....+++++
..+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
+++++
gpg: key 6D79E9A8 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2016-11-20
pub   2048R/6D79E9A8 2013-11-21 [expires: 2016-11-20]
     Key fingerprint = 8D3C C541 2E4B E39E 0C59  98AD 8427 2B59 6D79 E9A8
uid                  Herman Oosthuysen <herman@aeronetworks.ca>
sub   2048R/8FDD82DD 2013-11-21 [expires: 2016-11-20]
---

gpg-agent

The agent is usually started on demand by gpg, gpgsm,  gpgconf  or  gpg-
      connect-agent.   Thus there is no reason to start it manually.  In case
      you want to use the included Secure Shell Agent you may start the agent
      using:
        gpg-connect-agent /bye

The usual way to run the agent is from the ~/.xsession file:
        eval $(gpg-agent --daemon)

Example:
$ gpg-agent --daemon
gpg-agent[1543]: a gpg-agent is already running - not starting a new one

Publish your Public key to a key server

First get the public key fingerprint:
$ gpg --fingerprint
/home/herman/.gnupg/pubring.gpg
-------------------------------
pub   2048R/6D79E9A8 2013-11-21 [expires: 2016-11-20]
     Key fingerprint = 8D3C C541 2E4B E39E 0C59  98AD 8427 2B59 6D79 E9A8
uid                  Herman Oosthuysen <herman@aeronetworks.ca>
sub   2048R/8FDD82DD 2013-11-21 [expires: 2016-11-20]

Send the key to a public key server using the fingerprint from above:
$ gpg --keyserver hkp://subkeys.pgp.net --send-key “8D3C C541 2E4B E39E 0C59  98AD 8427 2B59 6D79 E9A8

gpg: sending key 6D79E9A8 to hkp server subkeys.pgp.net

Backup your keys

Save the public key as a text file that you can freely give to other people:
$ gpg --export --armor herman@aeronetworks.ca > herman-publickey.txt

Display the public key for reference:
$ cat  herman-publickey.txt
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)

mQENBFKNmpcBCAC4/AOi1/Fh/6giIb1mNra6XqQdhj5WRuSP39W9QELE4tCZ5Ehu
rRy8vQP9h2AsN6bYGQxCEWPsYzxw71oGcZEyCyo5//+lepidx2DZ9gDp9RzXKN11
EfhJnndvine4nUhDN8SOw3Flhr4Pw52+1XmJLlZHLPHMkWIupOgTnKbhSx6sLtBL
XAhYe19+HAVSXNLkU7XIC6JtV//20/b18pDhmYv5VoKwv9N1rKzRMJfF6uFft1LT
OjNg2D5z4S/955Yy3uJMbUpUz38OlVP2SboIxY8d7YaEMnsZCdj92vYitB9pFr+l
hBWZEvocdrVedoLXXb27NnM/WNtXR3/2o+VDABEBAAG0Kkhlcm1hbiBPb3N0aHV5
c2VuIDxoZXJtYW5AYWVyb25ldHdvcmtzLmNhPokBPgQTAQIAKAUCUo2alwIbAwUJ
BaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQhCcrWW156ag4xwf/dbR5
i9ViYb4AwpdqYAx0WbSwt8geJ+C5TwCrf5wNuHPP7AEUHlhc1ea/7DGm8F3hED34
Q+pR6sLM7NBVLhqwu69z9xCs8uCnqpTF82khkm1dpnUDQc+qTY3rselB6WNUHbeh
B5oUHAzZhUP1E3NBSlvaFS2rtR5xrLX4T0/3YsETR9IkSbPckqAMAiUZv4D2TJoL
Er7XkvvgRBO6HMbl862zTPg3YVxlZBy72e/qMXsE137qBfiOXnUs53zzRaBLrCja
ftGDMKP6DPw1G/EaZpLSGYj3p88h36BSLvyOMIgsAwqgTmvRNXsh5BthgTB3Fm38
OUtI/myQtR3IjqkZC7kBDQRSjZqXAQgA76BdTiFRjJJzcvrV5hE0qsPUVXsWiwbV
eoJ578MJOLAs8X0gWz61DLsMi6r5NdNXa4l5xvbiOSrpPSC/DU2/XCJ43IJcpUTX
ezlVouUh+kpODKa1xRhMpBVdNVajtPMlcKbRBtGF/dFvJ4qcBFvQWeKuomAnaM4r
UXAec0niWKOXWYH5DBFBwVXXRB5GoXDytJVfIhDoiIFz3ljcBp+Vso4GIJGzsUAM
/WmVFVvzQE9eGaib3Pz6008sv7qgq/bIo/7/cP6aKYTE+KMZ2iGYuD1RnQ+yUBFL
eQC+XID8i3OiMRAkRBqDhp6i875/lUBQJDCKL685ZNY8uo5PJlB1jwARAQABiQEl
BBgBAgAPBQJSjZqXAhsMBQkFo5qAAAoJEIQnK1lteemomUEH/RfE6qIuI0hcQStL
wpH+eGM94U/ae/Xq8RVwet0Pz3MxXtnwu2vARIV52NdLDmVY7PwzbumV+XAGLgCz
QYq2H6pab2JRryQrnS4nElR9EOMenp/mYgM9vNdJeD+YK7kSAlnWv9v/I/JO1FLI
KBkArWBCHfDPWTNpLMkCwUz32HIDpbE8I/KKHh5mXpWvGu3XbP5f5iTimEy/1QwP
KorkoEJcdJuAB9ZPgGJ06uXlhlTq3wfiIB2NRteaoNnvTGukXxAl48tcD3jLZR31
6sTJM/TACpu+X7J0kv4sahO92KTd7Otl80yrb8jaXQy1XNvB08Ezgd1Q8pSdRbX3
NdjnwGM=
=hLVh
-----END PGP PUBLIC KEY BLOCK-----

Save your private key in KeepassX, a USB stick or SD card that you always keep in a safe or in your wallet:
$ gpg --export-secret-keys --armor herman@aeronetworks.ca > herman-privatekey.txt

No, I’m not going to display that one...

I keep these files in my ~/.ssh directory and tighten up the permissions:
$ chmod 600 herman-p*

Configure pass

Install dependencies:
# yum install xclip
# yum install xz

Download pass from here:
http://zx2c4.com/projects/password-store/

Untar it:
$ tar -Jxvf pass[tab]

Install it:
# make install

List the keys in the gpg keyring:
$ gpg --list-keys
/home/herman/.gnupg/pubring.gpg
-------------------------------
pub   2048R/6D79E9A8 2013-11-21 [expires: 2016-11-20]
uid                  Herman Oosthuysen <herman@aeronetworks.ca>
sub   2048R/8FDD82DD 2013-11-21 [expires: 2016-11-20]

Initialize the pass store:
$ pass init herman@aeronetworks.ca
mkdir: created directory `/home/herman/.password-store'
Password store initialized for herman@aeronetworks.ca.

Using the password store

Save an existing password:
$ pass insert visa/joe.plumber
supersecretpassword

Retrieve the password to the clipboard:
$ pass -c visa/joe.plumber

Now you can paste the password with Ctrl-V.

Most handily, because Linux has two clip buffers, you can highlight the username above and use middle click to paste it into a dialogue box as well, without having to retype it. So, highlight middle click for the username and ctrl-v for the password.

Multi-line passwords

This feature is not useful, unless you make a little gpg script of your own to retrieve the rest of the data.

Further Examples

From the pass man page:
      Initialize password store
             zx2c4@laptop ~ $ pass init Jason@zx2c4.com
             mkdir: created directory ‘/home/zx2c4/.password-store’
             Password store initialized for Jason@zx2c4.com.

      List existing passwords in store
             zx2c4@laptop ~ $ pass
             Password Store
             ├── Business
             │   ├── some-silly-business-site.com
             │   └── another-business-site.net
             ├── Email
             │   ├── donenfeld.com
             │   └── zx2c4.com
             └── France
                 ├── bank
                 ├── freebox
                 └── mobilephone

             Alternatively, "pass ls".

      Show existing password
             zx2c4@laptop ~ $ pass Email/zx2c4.com
             sup3rh4x3rizmynam3

      Copy existing password to clipboard
             zx2c4@laptop ~ $ pass -c Email/zx2c4.com
             Copied Email/jason@zx2c4.com to clipboard. Will clear in 45 seconds.

      Add password to store
             zx2c4@laptop ~ $ pass insert Business/cheese-whiz-factory
             Enter password for Business/cheese-whiz-factory: omg so much cheese what am i 
             gonna do

      Add multiline password to store
             zx2c4@laptop ~ $ pass insert -m Business/cheese-whiz-factory
             Enter contents of Business/cheese-whiz-factory and press Ctrl+D 

      when finished:
             Hey this is my
             awesome
             multi
             line
             passworrrrrrrrd.
             ^D

      Generate new password
             zx2c4@laptop ~ $ pass generate Email/jasondonenfeld.com 15
             The generated password to Email/jasondonenfeld.com is:
             $(-QF&Q=IN2nFBx

      Generate new alphanumeric password
             zx2c4@laptop ~ $ pass -n generate Email/jasondonenfeld.com 12
             The generated password to Email/jasondonenfeld.com is:
             YqFsMkBeO6di

      Generate new password and copy it to the clipboard
             zx2c4@laptop ~ $ pass -c generate Email/jasondonenfeld.com 19
             Copied Email/jasondonenfeld.com to clipboard. Will clear in 45 seconds.

      Remove password from store
             zx2c4@laptop ~ $ pass remove Business/cheese-whiz-factory
             rm: remove regular file ‘/home/zx2c4/.password-store/Business/cheese- 
             whiz-factory.gpg’? y
             removed ‘/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg’

Sunday, November 17, 2013

Thursday, November 7, 2013

Computer Counter Counter Measures

Even Ol' Bill of the Wobbly Speare apparently had issues with his abacus, as he wrote in MacBeth:

We still have judgement here,
that we but teach bloody instructions,
which, being taught,
returns to plague the inventor!

The main problem with the pervasive spying is that the spy agencies themselves are leaky sieves that share their data far and wide, so goodness knows where your data ends up.  Next time you see a series of fraudulent transactions on your card statement, you now know who is to blame...

So, as Ol' Bill might wonder, how can thou protect thyself against the NSA and GCHQ overreach?

If you have a Dropbox (or insert your favourite cloud service) account and like to use it to share data between all your devices, then you can easily secure things using the cross platform Truecrypt available from here: http://www.truecrypt.org/

It works on Linux, Mac and Windoze and even has convenient apps for most mobiles.

Simply use Truecrypt to create an encrypted container of say 1GB in size inside your Dropbox directory.

Dropbox will then share the cypher text with your devices (and also the NSA, GCHQ, FSB and others), while Truecrypt will conveniently make the plain text available to you only.

The trick is not to make the encrypted container ridiculously large.  1GB is enough for most peaceful purposes.

Here is a sequence of screen shots of the process - easy:













To use it, you select the container using Truecrypt, type your password and Mount it - the default is NO NAME.  You then open NO NAME with your file browser and click-drag-drop stuff to it, or edit files directly inside it.  When you are done, you Unmount the container.  That is all.

Dropbox will synchronize the container file as usual and you can then mount and use it on any device.  Of course, you can also tell the password to someone else to exchange data securely.

Now you have no excuse not to share your data with all the spooks and mafiosi anymore!

Wednesday, November 6, 2013

The NSA Theme Song


This famous song by The Police really says it all:

Every breath you take
Every move you make
Every bond you break
Every step you take
I'll be watching you

Every single day

Every word you say
Every game you play
Every night you stay
I'll be watching you

"I woke up in the middle of the night with that line in my head, sat down at the piano and had written it in half an hour. The tune itself is generic, an aggregate of hundreds of others, but the words are interesting. It sounds like a comforting love song. I didn't realize at the time how sinister it is. I think I was thinking of Big Brother, surveillance and control."

—Sting
[http://en.wikipedia.org/wiki/Every_Breath_You_Take]

The main problem that I have with tapping the undersea cables, is that it is done with no judicial oversight whatsoever.  Of course, Google, Microsoft and Yahoo were stupid to use plain text communications over their trunks, so they are not blameless either.

There will be a huge furor if the government insists that each time you make a phone call, a policeman has to sit in your living room and look over your shoulder - but that is precisely what the American and UK governments are doing! 

Fascist Perverts doesn't even begin to describe it.

Nuf sed!

Monday, October 28, 2013

Serial Port Tricks

Bidirectional

The Netcat program can shovel data bidirectionally to/from a serial port and over a network, which is very handy indeed.

Set the serial port in raw mode and configure it:
# stty -F /dev/ttyUSB0 raw
# stty -F /dev/ttyUSB1 raw
# stty -F /dev/ttyUSB0 19200
# stty -F /dev/ttyUSB1 19200


Set up a netcat listener that will send data to/from the one serial device:
# nc -l 1234 < /dev/ttyUSB1 >/dev/ttyUSB1

Set up a netcat client that will send data to/from the other serial device:
# nc listeneripaddress 1234 < /dev/ttyUSB0 >/dev/ttyUSB0

Unidirectional

For debugging and scripting, you can also use ordinary cat, echo, head or even data definition to access the serial ports: 

Send data one way only using the common kitty:
# cat /dev/ttyUSB0 > /dev/ttyUSB1

Send a message out a port using echo:
# echo Hello > /dev/ttyUSB0

Send data denoted as hexadecimal values and suppress the LF at the end of the line:
# echo -en "\x12\x23\x45" > /dev/ttyUSB0

Read one character from a serial port using head:
# $CHAR = head -c 1 /dev/ttyUSB0
# echo $CHAR

Unbuffered Operation

The buffering is done by the tty layer and not by nc.  Use stty together with netcat to reduce the buffer size to zero:
stty -icanon && nc ...


The above will set the buffer size to zero while netcat is running.  it needs to be one command, otherwise the shell may set it back to normal again unexpectedly.

dBm to Watt

I tend to forget some of the values and is too lazy to calculate it.

dBm to Watt Conversion Table
dBm Watts dBm Watts dBm Watts
0 1.0 mW 16 40 mW 32 1.6 W
1 1.3 mW 17 50 mW 33 2.0 W
2 1.6 mW 18 63 mW 34 2.5 W
3 2.0 mW 19 79 mW 35 3.2 W
4 2.5 mW 20 100 mW 36 4.0 W
5 3.2 mW 21 126 mW 37 5.0 W
6 4 mW 22 158 mW 38 6.3 W
7 5 mW 23 200 mW 39 8.0 W
8 6 mW 24 250 mW 40 10 W
9 8 mW 25 316 mW 41 13 W
10 10 mW 26 398 mW 42 16 W
11 13 mW 27 500 mW 43 20 W
12 16 mW 28 630 mW 44 25 W
13 20 mW 29 800 mW 45 32 W
14 25 mW 30 1.0 W 46 40 W
15 32 mW 31 1.3 W 47 50 W