Yearly Archives: 2015

66.3 bits of entropy and grackles

Leave a reply

0 minutes, 25 seconds

No relation to each other, aside from happening on the same day: My daughter gave me a note with a password on it:

20151223_160535

I was then to speak the password into the “walkie talkie” (mouse) when I needed help. I liked this because:

  • She even knew what a password was at all
  • She decided that her service needed a password
  • She used a pretty decent password, 66.3 bits of entropy!

Later that night, at sunset, just like the for the past 2 months, the grackles came to roost in our palm trees. Lovely!

Let’s Encrypt TLS & A+ on SSL Labs

Leave a reply

1 minute, 23 seconds

As you may recall, around here we like our TLS, and we like it rare!  I have no idea what “rare” means in the context of web encryption, but you know, that’s the way we like it!  We also like it cheap!  Even better than cheap (free) is open (libre)!  So, put it all together, and you get Let’s Encrypt TLS certs on plip.com and related properties.  Yay!

I saw the EFF/Let’s Encrypt crew speak at at DEF CON this past summer,  and it was super inspiring.  I’d already heard about the project, but it was that much more exciting to hear their talk.  I was dead set on cutting over from my old CA, to the new, definitively open, one.

While I was in my server, I went and visited my fave site for secure web server configs, cipherli.st. The only option I can’t run is SSLSessionTickets, as it requires Apache 2.4.11 or later. We’ll get there later with an Apache upgrade.

Put this all together?  You get a big fat A+ on SSL Labs.  w00t!

Some caveats are that Let’s Encrypt is just in public beta, so there’s some still some kinks to work out. For example, I mistakenly tried to get a cert for a wildcard vhost (eg “*.foo.bar.com”).  I got back an error:

An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Invalid character in DNS name
Please see the logfiles in /var/log/letsencrypt for more details.

So, while I shouldn’t have selected the domain to get a cert (Let’s Encrypt doesn’t do wildcard certs), the error was a bit cryptic.  Fortunately the fine folks in their IRC channel (web IRC client – #letsencrypt @ Freenode to DIY) quickly pointed out to not use wildcards and that there was issue 1683 already open.

Awesome sauce, thanks Let’s Encrypt!

6 Vegas Sunsets, 1 ride

Leave a reply

0 minutes, 9 seconds

And one Bay Area one while flying out of OAK ;)

#6 was taken on this evenings quickie MTB ride to my fave local spot.  Here’s what it looked like when you turned the camera around:

20151110_161140

1 year running a Tor middle relay

Leave a reply

0 minutes, 22 seconds

pliptorYay!  I’m proud to announce that plip has been running a Tor middle relay for exactly a year. I believe in on-line privacy and anonymity and when I had some time after leaving my last gig, I spent quite a bit of time learning about Tor.  Though I aspired to run an exit relay, the potential hassle was too much. Instead, I was happy to learn about The Amnesic Incognito Live System (aka Tails) and set up a middle relay.  Here’s to another year!

Bootstrapping with secure passwords

Leave a reply

2 minutes, 6 seconds

I recently fat fingered the partitions on my 5k iMac when installing Ubuntu (more on Ubuntu on a 5k later!), so I was stuck doing a double clean install of both OS X and Ubuntu.  Given how often I find myself re-installing a system from scratch, I’ve gotten pretty good at getting all my core apps set up.  All the software I run is open source or free, so downloading it is quite easy.  But how do you log in using all your secure passwords?  The passwords are stored in my password safe, but the password safe is stored in a password protected, self hosted cloud file server. Classic chicken and egg scenario.  Here’s how I get around it:

  1. Go to a computer where you have your password safe handy
  2. Log into your cloud file server
  3. Generate an unprotected shared link to your password safe.  This will look something like this: http://my_owncloud_server.com/public.php?service=files&t=4617c2d4e806fa0d8bf6f47e4123f695
  4. Then take that link, and use a URL shortener to make a short, but not too guessable URL

Now, when you need to bootstrap a new computer, it’s simple as pie:

  1. Download password safe binary
  2. Go to http://tinyurl.com/MySecretPasswordSafeURLHere
  3. Download password safe file

Thus we solve the chicken and egg problem.  As well, since we’re pointing to the most up to date version of your password safe on your cloud server, you’ll always have your latest passwords!

Yes, yes, we are exposing our selves here to some risk that some one will guess the shortened URL of our our password safe.  However, this is pretty unlikely that it’ll be guessed.  As well, you use a good pass phrase on your password safe, right?!

For smart phones, I’ve had similar problems bootstrapping when I can’t download the password safe app because I can’t log into the app store. Another chicken and egg!  Here’s how I work around this (which would work for the desktop scenario too):

  1. Turn your phone on, skip account set up
  2. Connect to WiFi or cellular data so your mobile browser can connect to the internet
  3. On another computer, where you have access to your password safe, copy your primary login for your app store (aka your iCloud or gmail/google app login)
  4. Go to onetimesecret.com and create a secret URL
  5. Go to ye’ ol’ URL shortener, and create a customized, short URL: http://tinyurl.com/help-obi-won-kanobi linking to your onetimesecret URL
  6. Now you can manually type the short URL on your phone and get the password which you can then copy and paste to log into to the phone/app store.

Though it seems like a number of painful steps they both go more quickly than you think and I seem to do them enough they’re second nature.

Using Git on Ubuntu with SSH Tunnels to Mac OS X Host

Leave a reply

4 minutes, 9 seconds

Intro & Prerequisites

Are you using Linux but cannot get your LT2P-IPSEC VPN hosted on your Mac OS X server working?   Do you write code on your Ubuntu client and check into a git server behind your VPN? Maybe you should consider ditching the VPN client and using SSH tunnels instead. Really, this will work for any server that’s on the remote LAN that you have SSH access to, but in my case it was the same host as the VPN Server, a mac. As well, this can be any client as well, not just Ubuntu.

In all the notes below, any time you see “mrjones” or USERNAME, replace it with your username.  Anytime you see an all caps computer name that’s SERVER_NAME.com, replace it your server’s name.  The VPN server, SSH jump host and jump host are all the same.

You’ll need:

  • An SSH client you know how to configure. For OS X and Ubuntu clients, this is built in.  For Windows you can use putty.
  • An SSH account the remote server which has access to your remote LAN you want to access.
  • An SSH public key you have put on on your ~USERNAME/.ssh/authorized_keys file on this same remote server.

SOCKS5

You can use SSH to create an SSH tunnel, specifically one that has dynamic ports and hosts as specified by the requesting app – aka a SOCKS5 proxy. To do this, you can use any local port above 1024, but I use 1080.  It looks like this:

ssh -D 1080 mrjones@SECRET_DOMAIN.com

In your browser then, for example FireFox, you set up the proxy by:

  • socksPreferences -> Advanced -> Network -> Connection -> Settings
  • Choose “Manual Proxy Configuration”
  • In the bottom option for “SOCKS Host” put “127.0.0.1” and for port put “1080”

 

The benefit of setting up a SOCKS5 proxy is that your URLs are the same as if you were on the VPN. This means that when you copy and paste them into/out of IM chats and emails, they just work as opposed to having localhost in them or trailing, odd ports.

SSH Tunnels with agent forwarding

You may still need to SSH to a production machine via the remote server jump host.  In order to do this and not have to re-federate your private key the SSH jump host (or generate a new private key on the jump host and then federate that out to the production machines), you can just do this:

ssh -A -t -l mrjones SECRET_DOMAIN.com ssh -A -t -l root SECURE_INTERNAL_SERVER.com

After running that you should have a prompt on SECURE_INTERNAL_SERVER.com as root.  This assumes that you have your public on your *local* box added to the authorized_keys of the account your SSHing to on the remote most box (SECURE_INTERNAL_SERVER.com).  This is a thing of beauty.

Checking code out with git over SSH

If you’re like me, you need to git clone for repos hosted on your stash/gitlab/whatever server which is only accessible on the VPN or LAN. You can do this with tunnels as well!  For me, I use  Stash professionaly, so instead of running this command to clone a repo:

git clone  ssh://git@STASH_SERVER.com:7999/path/to/repo.git

You can run this to add a tunnel to the stash host and then clone via a specialized host:

ssh mrjones@SECRET_DOMAIN.com -N -L 7999:STASH_SERVER.com:7999
git clone ssh://git@localhost:7999/path/to/repo.git

subsequent git commands like commit, pull, status etc. work with out modification transparently.

Pushing code with git over SSH

If you’re like me, you need to push using git via awesome git post-commit hooks. You can do this with tunnels as well!  Instead of running this command to add your remote:

git remote add live ssh://git@PROD_WEB.com/opt/git/web.git

You can run this to add a tunnel to PROD_WEB.com and then add a specialized remote:

ssh mrjones@SECRET_DOMAIN.com -N -L 2200:PROD_WEB.com:22
git remote add live ssh://git@localhost:2200/opt/git/web.git

subsequent git commands to push new branches work with out modification transparently.

Side note, you can push specific tags using this syntax:

 git push live +TAG_HERE^{}:master

SSH Tunnel manager

gstm

DDG gSTM pic

Managing all these tunnels is a total pain.  You could create a shell script to do it, but the cleanest way by far is to use a tunnel manager.  For me on Ubuntu this gSTM (Gnome SSH Tunnel Manager).  This allows you to, with one click, turn on and off all the tunnels listed above.

 

Caveats

Right now the biggest caveat with this set up is that *ALL* your web traffic goes over the VPN host (this is actually the same as when you’re on your mac based VPN). Further, your browser will not work *at all* with out the tunnels set up, even for any hosts (not same as VPN ;).  Which means even if you want to use your browser for non-work when you’re not working, all your browser traffic goes through your VPN server.

As well, if you run a vagrant dev environment, you can not access your VMs via their local Virtual Box IP, as they’re not accessible from VPN server.

You can fix both of these issues by either using a different browser for non work/vagrant hosts or disabling the proxy by flipping it back to “no proxy” back in settings.

I believe that Foxy Proxy might solve this, but haven’t tried it yet!

Leaves, Slugs, Spiders, Water, Figs, Jellyfish (photos)

Leave a reply

0 minutes, 1 second

Your mom just got her first smart phone: what should she learn first?

Leave a reply

2 minutes, 25 seconds

My mom just got her first smart phone, an iPhone 5S. What should she learn to do on it first? Fortunately, she has an iPad already so the iOS as a whole isn’t entirely foreign.

First up is the core list of phone phone features which is actually only limited to 6:

  • How to receive a call
  • How to place a call
  • How to send an SMS (text message)
  • How to receive an SMS (text message)
  • How to adjust or turn off your ring volume
  • How to turn on and off airplane mode

My mom wants to barely use her phone so she doesn’t have to pay a lot per month.  Right now she’s paying $17.50 for 250 minutes, 300 texts and 30 MB per month from Consumer Cellular.  With these tight constraints, airplane mode will be your friend to ensure while you’re phone is not actively being used that it’s not using data while your email is checked or while some app is sucking down bits. As well, knowing if you’re phone is going to sound like Defcon level 1 alert when some one calls you is important. Know your sounds vs your silence!

The second set of features to learn are centered around how your phone is not just a phone, but a super powerful mini computer that fits in your purse:

  • How to get on WiFi at your house and other primary locations you frequent.  Though calls and texts will still be deducted from your plan, surfing the web and looking up directions will not. Couple this with your airplane mode savviness, and you’ll be a penny pinching queen!
  • Know your camera!  You always have it with you and you can use it in airplane mode! Your camera can not only take selfies and scenic shots, but it can take pictures of:
    • Where you parked your car at the airport
    • That recipe you’re reading in a magazine at the doctors
    • Slides of a presentation
  • Know your maps app.  You can look where to find a cup of coffee in a part of town you don’t know.  You can have it navigate it for you to a business you’ve never been to.  You can instantly look up where that deli you went to last year is in NYC or what country Estonia is next to (Latvia and Russia ;)
  • Know your audio app(s).  You can not only load your phone with your favorite tunes exactly like an iPod, but you can stream them from providers like Google Play and Pandora. NOTE! This will use a lot of your monthly data if you’re not on WiFi. On top of all this, you can get a podcast app and load your phone full of amazing stories and info that can all be listened to with airplane mode one.

I don’t know if she agrees (Mom?), but I think some of the best advice I gave her was that she didn’t need to rush things with the new phone.  She could take as long as she needed to learn how to do a task (or wait until I’m free to walk her through it).

Do you know someone who just got a smart phone for the first time? What do you think should be on the top items to learn?

Defcon 2015

3 Replies

2 minutes, 33 seconds

Another year, another Defcon!  This was my third year attending.  The biggest change this year was that the conference changed locations moving from the Rio to Paris/Ballys.  Given I’m some what of a lookie loo I can’t say with super authority, but I thought the space worked as well as the prior location, leave the fact that the sky talks were on a separate floor and might have gotten less traffic.  Given that in prior years they had an hours long wait, it may have been a good thing.

Since I live in Vegas, I didn’t have any concerns getting my pick there, like I did with Hope. Otherwise, this years highlights were:

  • Seeing Cory Doctorow speak on general purpose computers.  Nothing really new here if you follow him (author ID 1!), but it was fun to see it all wrapped up nice and dense and delivered with passion.
  • Bruce Schneier is just awesome.  His talk was actually just 45 minutes straight of Q&A, but with a super nerdy crowd, it did not disappoint. Like Doctorow there was nothing new, but I found Schneier more pleasing and inspiring to see than Doctorow.
  • Holy crap Marc Rogers and Kevin Mahaffey, the Tesla hack guys, are awesome!  They literally tore into a new Tesla and gained remote root.  An amazing talk that was just high level enough to keep you following along but way deep enough to blow you away with how hard they had to work to achieve the hack.
  • Samy Kamkar‘s talk on hacking garage doors and car fobs was tons of fun.  I’d seen a video on the garage door opener before, but the fob attack was new; both were great to see revealed real time.
  • The EFF presented on their Lets Encrypt certificate authority which will feature automated cert creation and installation.  The demo was inspiring to see.  The thought of TLS for everyone and their mother is totally great.
  • I heckled Alejandro Mayorkas trying to force him to agree that crypto back doors are a Bad Thing.  Unsurprisingly, he didn’t take the bait. I was bummed that his security entourage was too strong to let me shake his hand and thank him for speaking at Defcon.

Though I didn’t make it very far through the matasano crypto challenges, it is amazing to see how relevant the lessons learned in those challenges are. Hex, Base64 and XOR…every talk I attended had one of these concepts as a critical part of their hack.

Here’s a list of talks I attended:

How to test PHPs memory_limit setting

4 Replies

0 minutes, 42 seconds

So, we all know that in PHP, you configure it with a php.ini file. And in there, you can set the amount of RAM a script can use with the memory_limitsetting (remember this is “M” not “MB”!).  And if you get this error:

PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 234881025 bytes)

Then you can increase the memory_limit to be larger (don’t forget to restart apache!). However, what if you want a script to hit that limit to see how your error logs and such are set up?  I had more fun than I thought I would writing a textbook solution to a textbook problem.  Here it is in it’s 4 line glory:

$str = 'memory!';
$i = 1;
while ($i++ != 100) $str .= $str  ;
print "done!";

When you run this you should see an error as this will exceed 128M of memory. If not, so salt to taste ($i++ != 200) if you run with a higher memory_limit setting!