1. Flashing a custom rom on Nexus 4

    Flashing a custom image on an Android mobile could be just fun. But if you don't know why you want to do it, or do it just because it's a challenge. Then don't!

    The bad and the good

    I'm only pointing out some of the cons and the pros here.

    Negative sides

    • An OS image could contain malware; only use community trusted images.
    • If you don't pay attention you can get malware running as root. That's B A D !
    • May not have all the phones vendor functionality.
    • The image may be buggy.

    Consequences of a buggy image

    • Lock up your phone when you least expect it.
    • Drain the battery quicker.
    • Suddenly reboot.

    Positive sides

    • You can get a newer more secure operating system.
    • Use less battery.
    • No crapware.
    • Extra security functions.

    Flashing CyanogenMod

    One of the custom Android images based on AOSP is CyanogenMod. As I know, it's one of the more used ones. Quite stable if you keep away from the nightlies and rich on functionality but not bloated.

    Preparations

    1. Install adb and fastboot to help manage your Nexus phone.

      sudo apt-get install android-tools-adb android-tools-fastboot
      
    2. Download custom a recovery image. Personally I prefer ClockworkMod and the touch recovery. Note, this image is compiled for the Nexus 4 phone. Other phones use other images.

      wget http://download2.clockworkmod.com/recoveries/recovery-clockwork-touch-6.0.4.7-mako.img
      
    3. Download the latest M snapshot from CyanogenMod on download.cyanogenmod.org. The model name for Nexus 4 is ...

    Read more...


  2. OCSP Stapling on Apache

    Excerpt from Remy van Elsts tutorial: OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, eliminating the need for relying parties (web users) to check OCSP responses with the issuing CA. This has the effect of reducing bandwidth, improving perceived site performance, and increasing security for everyone involved in establishing the secure session. This tutorial shows you how to set it up with Apache.

    Summary

    Create OCSP stapling configuration for Apache.

    cat <<EOF > /etc/apache2/conf-available/sslstapeling.conf
    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
    SSLStaplingResponseMaxAge 900
    EOF
    

    Enable configuration, test it and do a restart of Apache if all is OK.

    a2enconf sslstapeling
    apache2ctl configtest
    apache2ctl restart
    

    Check OCSP with OpenSSL.

    openssl s_client -connect «yoursite»:443 -tls1 -tlsextdebug -status
    

    Read more...


  3. How to get A+ on SSL Labs

    This will show how to get A+ on SSL Server Test from Qualys SSL Labs.

    Enable SSL and headers module in Apache2.

    a2enmod ssl 
    a2enmod headers
    

    Edit Apache configuration.

    SSLCertificateFile /etc/ssl/crt/«yourcert».pem
    SSLCertificateKeyFile /etc/ssl/crt/«yourkey».pem
    SSLCertificateChainFile /etc/ssl/crt/«intermediatechain».pem
    
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS
    

    The ! preceding the cipher means that Apache will not use that cipher.

    View ciphers

    List the ciphers openssl supports with the current configuration.

    openssl ciphers -v -ssl3 -tls1 'EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS'
    

    Explanation

    With this configuration Apache will prefer Perfect forward secrecy. If Perfect forward secrecy can't be negotiated it will default to AES cipher. This configuration will work on all newer browser. Exceptions are older IE, older Java and a few bots.

    Where there are no links to the information source it's taken from the documentation on openssl.org.

    Header always set Strict-Transport-Security

    Force browser to use HTTPS even if the user enters HTTP. The browser should remember this setting for a really long time, example a year.

    SSLHonorCipherOrder On

    Use the servers preferred encryption not the browsers which may be a weaker cipher.

    EECDH

    Ephemeral elliptic-curve Diffie-Hellman, see ECDH.

    EDH

    Ephemeral Diffie-Hellman, see Diffie–Hellman key exchange.

    AES

    Advanced Encryption Standard.

    !aNULL

    The cipher suites offering no authentication. This ...

    Read more...


  4. Auto generate Pelican blog from Dropbox

    This is my notes for how to update my Pelican blog automaticlly when I write new posts. See Creating a blog based on Pelican for getting started with Pelican blog engine.

    A way to be able to blog from anywhere is to use Dropbox as repository for the your blog. Then let Pelican auto regenerate the blog on changes in the Dropbox folder.

    A prerequest for this recipe is that /var/www is not directly exposed to the web.

    Preparing Dropbox

    First create a new Dropbox account and create a Pelican folder. Share this folder with your main Dropbox account. Now copy the sources for your Pelican blog into the the shared folder.

    On your web server, install Dropbox under the www-data user.

    cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -
    

    Then link up the new Dropbox account to the web server by accessing the link you get from starting the Dropbox daemon.

    ~/.dropbox-dist/dropboxd
    

    Edit crontab for www-data, crontab -e, to start Dropbox daemon if it's not running. useful when the server reboots.

    */5 * * * * pgrep -F ~/.dropbox/dropbox.pid >/dev/null || (~/.dropbox-dist/dropboxd &)
    

    Now Dropbox should be in sync and have your latest source for the blog.

    Autogenerate blog on change

    We need to install Pelican blog engine and incron to trigger auto generation of the blog on changes in the ~/Dropbox/Pelican/content folder.

    sudo apt-get install python-pelican python-markdown incron
    

    Edit DROPBOX_DIR the the Pelican Makefile to point to the VirtualHost which ...

    Read more...


  5. Configuring OpenVPN server on RTN66U

    The router firmware Tomato, see previous post RT-N66u with Tomato by Shibby firmware, can act as an OpenVPN server.

    Using open Wi-Fi access points can be very useful and necessary, but it is inherently insecure. Using the router as an OpenVPN server can increase your privacy and security when you are on the go. By creating an encrypted VPN connection back home to the router, you don't only get protection from nosy eavesdroppers but you get access to all your equipment behind the router at home as well.

    For OpenVPN to work we need to create our own CA for signing both server, the router, and optionally client certificates. This notes will only show how to create a server certificate and configure the router with user name and password authentication.

    Preparations, create CA

    Install necessary software. Although haveged, is not required, see Better entropy with haveged.

    sudo apt-get install easy-rsa haveged
    

    Create a work directory for OpenVPN. Take care to protect this directory and the files under it.

    make-cadir «yourdomain»
    

    Enter your CA directory.

    cd «yourdomain»
    

    Edit the vars file and change the following variables to something more sensible for you.

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Funston-Fort"
    export KEY_EMAIL="me@myhost.mydomain"
    

    Source the variables into current bash session.

    source ./vars
    

    Do a initial clean.

    ./clean-all 
    

    Create your CA public and private key.

    ./build-ca
    

    Generate your Diffie–Hellman parameters.

    ./build-dh
    

    Create your routers public and private key.

    ./build-key-server «yourrouter»
    

    Listing of folder keys ...

    Read more...


  6. Better entropy with haveged

    Entropy is important for generating good encryption keys. Do you have a busy server relying on crypto, generating keys, you need lot of good entropy. Or if you have a disk less system you don't get as much entropy from the kernel that you may wish. One way to get a lot of good entropy is to use haveged. Haveged is closer to a TRNG than a PRNG.

    Excerpt from havegeds homepage: The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers. Current development of haveged is directed towards improving overall reliablity and adaptability while minimizing the barriers to using haveged for other tasks.

    How to install

    Install haveged from the repository - and that's it.

    sudo apt-get install haveged
    

    Enjoy fast good entropy. Check your entropy

    cat /proc/sys/kernel/random/entropy_avail
    

    Read more...


  7. RT-N66u with Tomato by Shibby firmware

    This is a part of my personal notes. Use this information at your own risk. If you are uncertain or don't know what you are doing. Do not proceed.

    Asus RT-N66U is a Linux based wireless router. The stock firmware can be a bit limiting for the more advanced user. If you want better QoS, OpenVPN or just more control over the network I recommend installing Tomato by Shibby firmware.

    Download the latest version of the firmware from Tomato by Shibby. Look for Asus RT-N66u 64k in the version folder in K26RT-N repository.

    I use the all in one, AIO, i.e. tomato-K26USB-1.28.RT-N5x-MIPSR2-117-AIO-64K.trx.

    Flash RT-N66u

    1. Download latest Tomato by Shibby, e.g. tomato-K26USB-1.28.RT-N5x-MIPSR2-117-AIO-64K.trx.
    2. Connect the router to a computer with cable.
    3. Turn off router.e
    4. Turn on route while holding in reset button. Wait until the power LED starts blinking. The router is in flash mode.
    5. Configure the network opn the computer to 192.168.1.2/255.255.255.0.
    6. Browse to http://192.168.1.1, erase NVRAM and upload the new firmware.
    7. This takes some time.
    8. Configure network on computer to DHCP and wait until it receives a address.
    9. Browse to http://192.168.1.1 and start configuring the router.

    Tips

    Problems booting. Try to reset NVRAM again. Resetting NVRAM can also be done by holding in WPS button while powering on. Don't release WPS button before 30 seconds.

    Read more...


  8. Find duplicate files

    Find all duplicate files in current and sub-directories with bash.

    find -not -empty -type f -printf '%s\n' | sort -rn | uniq -d | xargs -I{} -n1 find -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate
    

    Breakdown

    1. Find all non empty files and print out size.
    2. Do a numeric sort on size list.
    3. Print out only duplicate sizes.
    4. One at a time run find on size and print file names.
    5. Find md5sum of all files.
    6. Alphabetical sort md5sums and file names.
    7. Find all md5sums which repeats and print them in groups.

    Alternatively

    Or do it the easy way and install a tool for finding duplicates files. This tool is much faster than the oneliner above.

    apt-get install fdupes
    

    This does more or less the same thing as the oneliner.

    fdupes -r .
    

    Read more...


« Page 2 / 3 »