Saturday, January 31, 2015

Facebook reverse phone search is much more dangerous than you think

Facebook's got this dangerous feature allowing anybody to search for people using only their phone number.

Many companies are now taking profit of this to associate a number with a name and other information from the profile. This is incredibly bad for your privacy.

Facebook's bad decisions

Facebook made two particularly bad decisions.
First they require a phone number for many of the site's functions.
Secondly, on your profile you can choose who can see your number. You can even select "Me only". But there is a different setting, which is enabled by default, that allows people to search for your profile using only your phone number.

There's a saying in software design that default settings should be good for most people. I don't think this is the case here. The problem is made even worse by the fact that Facebook is used by teenagers (and older people too) who are not aware of the consequences a lack of privacy can have on their lives, and their Facebook profile contains everything there is to know about them and that can be used against them.

On a larger scale...

Maybe you are thinking "Well, so someone knows a number and can find who owns it, what's so bad about it?" It would require a lot of time for people to look for the numbers*.
Then you are not aware of what can be done with computers:

  • Write a program to perform a brute-force search by trying every possible number there is out there, and build a database. Then sell this database.
  • You think Facebook would find someone doing such kind of search? If they do, then attackers would use different network paths for each connection like it can be done with I2P.
  • I2P would be particularly slow though. Also you would need a Facebook profile to do the search. Then, botnets would be used. People operating such networks have 100,000s of "zombie" computers working for them (where supposedly there would be a cookie on the computer allowing them to perform the search), and these would use people's Facebook accounts to do the search. The attack could be done in minutes.
* Did you know there are people in India and elsewhere in the world currently solving CAPTCHAs by hand? Although there are advanced techniques to solve many kinds of CAPTCHAs, by the time and price an engineer can write such a program, people with low pay from poor countries would have solved millions of these stupid images.

Friday, January 30, 2015

Microsoft and Snapchat vulnerabilities got publicly exposed.

Here's a post to thank people who don't fear to publish information about security threats when the software companies don't care after they have been warned.

Microsoft for instance failed to correct serious issues after 90 days it has been reported to them by Google on its Project Zero blog. I mean, come on! Microsoft is a giant company. 720 hours is plenty to correct the bug in time.

Snapchat isn't a good player either.
For those who don't know, Snapchat is a social media site who mostly focuses on the exchange of so-called "snaps" : photos or short videos that delete themselves upon viewing.

The recipient can only see the video or photo once and while holding a finger on the screen. The "snaps" get deleted afterwards.
Well, not quite. The truth is, the snaps are marked for deletion by the operating system. The files get renamed with a ".nomedia" extension and will be really removed from the file system later, because, as you might have witnessed with the "Gallery" app, this operation is slow.

Many applications, which are illegal by the Snapchat terms and conditions as well as Google Play's, and hence were removed from the store, did something very simple: copy the marked files elsewhere and rename them. VoilĂ , users could view the snaps as long as they wanted and re-share them.
To prevent this, Snapchat used some encryption.

If you know a thing or two about encryption, you might be aware that the term encryption refers to an infinite number of techniques trying to "hide" data in some way or another. For instance, reversing the letters from a text is considered encryption.
As this very interesting and very well written article from GibsonSec will tell you, Snapchat uses AES/CBC with a single synchronous key. The decryption function in Python is only 8 "instructions" long, including two requests on a web service.

Snapchat founder said he doesn't care about security. He wants his users to have fun with the app. That's obviously something a product design major would say, not an engineer.
Because the truth is that if they want their service to exist in the future and make money, they should consider this issue very seriously. If people can cheat and anybody can save the snaps by downloading an app publicly available on the Play store, their whole business idea goes at the bottom of the sea.

Even if Google removes the apps from the store, Android users, hopefully, are free to download and install what they want on their device. So simply removing apps exploiting the encryption weakness is useless.

Snapchat played its cards very badly, as users got their credentials stolen because the company still considers security a minor issue...
There are plenty of websites featuring stolen photos and videos from Snapchat. What did the company say? It's because users installed third-party apps. Boo hoo. If the government did the same. Who would you blame? The citizens, the hackers? Nope. You'd blame the government. So you should blame Snapchat.

Snapchat doesn't give a **** about your privacy.

Wednesday, January 28, 2015

ownCloud Client asking for password when starting a KDE session

UPDATE: On another machine I have, the fix described below is not enough. You have to make sure that the KWallet daemon is enabled for the current user. Enable with: System Settings => Account details => KWallet => Enable

The ownCloud client is integrated with KDE's password manager (KWallet).
When it starts, it checks if the kwallet is unlocked and looks for the password.

Yeah, that's how it should be and that is a very software design. Unfortunately it has never worked and the ownCloud client asks for the password every single time!

In the latest version the problem is actually explained in the dialog ("No keychain available"):



In my case, which seems to be the default, the problem is that kwalletd is not running when the ownCloud client starts. It's a timing issue.

My solution :


1. Open KDE's "Autostart" control module (a quick search from the start menu will get you there)
2. Change the ownCloud entry to point to a script of your own.
3. Click OK.
4. Write the following shell script:



5. Make it executable.
6. Reboot (or kill kwalletd and try your script. Note that logging out doesn't kill the daemon.)

Of course if your KWallet is protected by a password, then you will be asked to provide it.

VBoxManage made simple

As you might know, VirtualBox machines can be managed from the command-line. However, I find the syntax of the VBoxManage command-line utility cumbersome and hard to remember.

Copy this in .bash_aliases:



Now you can do the following:

vm-start starts a VM in headless mode
vm-savestate suspends a VM to disk
vm-powerbutton simulates a press on the power button
vm-poweroff simulates unplugging the power cord (some OS don't shutdown completely)
vm-running lists the running VMs

Autocompletion is enabled and dangerous actions will ask for confirmation.

(You will need to re-login or "source" .bash_aliases whenever you add / remove a VM.)
(The script doesn't support VM names with spaces.)

Sunday, January 25, 2015

Backing up your data with Amazon S3 Glacier and rsnapshot. A complete guide, Part 4.

Aletsch Glacier in Switzerland
Photo from John Fowler

Amazon Glacier

Here we go! In Part I I wrote quite a lot about Glacier, now is the time to get our hands dirty.


Create an AWS account and a vault

Before starting you need an Amazon Web Services account. I realize there is no point in showing you screenshots or explaining you the following process in details because it's well documented by Amazon and it will be probably be outdated by the time you read this. Using the web management console:

  1. Create an AWS account. It will be referred by Amazon as the "root account".
  2. Create a group with permissions for Amazon Glacier.
  3. Create a user (IMA) and add it to the group you just created. Mark down the access key and the secret key. We will need them in a minute.
  4. Switch to the datacenter you want your data to be stored in.
  5. Create a new vault in Glacier. Name it appropriately, for instance "yourHostname_backup".
  6. Configure the appropriate limit for the vault in the "Settings" panel from the Glacier page.

Glacier-Cmd

Amazon doesn't develop any command-line or graphical client. All they offer are wrappers in all languages for their REST API. The Java and .NET APIs offer high-level features that the others do not. But still, everybody needs to upload and download archives, so some people developed interfaces. One of them is Glacier-Cmd.

As a regular user:

git clone https://github.com/uskudnik/amazon-glacier-cmd-interface.git
cd amazon-glacier-cmd-interface
sudo python setup.py install

At the time of writing there was a pending patch to support "eu-central-1", Amazon's latest datacenter located in Frankfurt am Main, Germany, Central Europe.

With the user that will send the archives to Amazon Glacier:

Edit ~/.glacier-cmd:

[aws]
access_key=YOUR_ACCESS_KEY
secret_key=YOUR_SECRET_KEY

[glacier]
region=eu-central-1
#logfile=~/glacier-cmd.log
#loglevel=INFO
#output=print

Change the keys and region accordingly. The rest is optional. Attention! You must choose the region in the AWS web console, not here!
The logging commands don't seem to work.

Verify this is working:

glacier-cmd lsvault

By the way, you can create vaults with glacier-cmd.
The command-line is badly documented. Look at this page instead.

To upload an archive:
glacier-cmd -c ~/.glacier-cmd  upload --description "A description of the archive" your_vault_name archiveName.tar

Do I need to tell you to run this with Task Spooler or Screen?

I am not sure Glacier Cmd completely supports resuming. But in case you get a timeout, try this:
  1. glacier-cmd listmultiparts your_vault_name
  2. Copy the upload ID
  3. Retry the upload with "--resume --uploadid the_copied_upload_id".
The CLI says it resumes something even though the documentation says it doesn't support the feature, so I'm a bit lost. Maybe because the doc is 2 years old...
See also this solution in case of timeouts. (in short: while true: do glacier-cmd ... --resume --partid 1234 --partsize multiple_of_two; sleep 600; done)

Alternative: Glacier CLI. It also offers an interesting mechanism to work with git-annex.
Alternative on Windows and Mac: I love CyberDuck. It might well be the most user-friendly GUI for many storage providers including S3 Glacier.


Things to know

  • Upload is free
  • Download is not
  • Asking for the "inventory" takes times.
  • Asking for a download link takes at least 4 hours.
  • Download links are available for 24 hours. (Does it mean we have 24 hours to download the entire archive?)
  • It takes one day before deleted archives are not listed anymore in the "inventory".
  • Started but failed uploads are kept by Amazon, you must either resume them (see above) or remove them (glacier-cmd abortmultipart)

Automating

The next step is to automate the upload and the deletion of the archives created from rsnapshot. 
Remember you can only delete for free 90 days after the archive has been uploaded.

Last words: Testing

VoilĂ . We are done. One last advice: test your backups. To do this, create a small directory, for instance with a single "Hello World" text file, and modify rsnapshot so it runs a script that will create an archive, encrypt it and send it to S3 Glacier. Then download the archive with Glacier-cmd or another software (try one of the GUIs like SAGU), decrypt it, extract it and see if you can retrieve the "Hello, World" text.

Backing up your data with Amazon S3 Glacier and rsnapshot. A complete guide, Part 3.


(Part I is here)

Remember when I told you it was a bad idea to backup everything automatically with rsnapshot if the files never change (e.g. photos from 5 years ago) ? Still, you want to make one backup of these files.
That's what we'll do now. We'll create archives manually and encrypt them.

Creating archives from the rsnapshot folders and encrypting them is left as an exercise. It should be easy if you read the guide.

Creating an archive

The most simple way to create an archive of a folder is this:
tar cf somename.tar folderPath/

Then you could run "watch du somename.tar -h" to see how it progresses.
Hopefully, there is a more complicated way!
tar cf - folderPath/ -P | pv -s $(du -sb folderPath/ | awk '{print $1}') | cat > somename.tar

This will display a nice progress bar. I suggest the use of screen for long-running jobs. You can also try Task Spooler, a barely known, badly documented yet very useful tool!
Note that the two commands above create an uncompressed archive. That's what you want if you are creating a backup of your music library, images, videos, ZIP files, ...

If you want compression:
tar zcf somename.tar.gz folderPath/
for a GZIP compressed file. It's slow because it uses one thread. There are multithreaded implementations of GZIP and BZIP2 (namely pigz and pbzip2) that will linearly accelerate the compression depending on the number of CPU cores.

With the progress bar:
tar cf - folderPath/ -P | pv -s $(du -sb folderPath/ | awk '{print $1}') | gzip > somename.tar.gz

Note: Instead of TAR you might want to take a look at DAR. It offers many useful features.
Note 2: I've found that with default options filesizes go like this: uncompressed > gzip > bzip2 > xz (~ 7zip).
Note 3: Here and in general: avoid ZIP, RAR and DMG files. Everything TAR based is 100 % open-source while these are not, or might get you in trouble. Also tar+gzip+bzip2 are available on all UN*X after the first boot.

Encryption

OpenSSL is able to do some compression but it's not meant for large files, so we can't use it. We are left with S/MIME and PGP. Here we will use GnuPG / GPG, an alternative to the original PGP (Privacy Guard / Pretty Good Privacy) proprietary software.

First we'll need to create a private and public key. I won't explain how PGP works, nor RSA or ElGamal... There are plenty of GUIs for all operating systems to create the keys, but you can create them with the command-line, as explained in this online guide:
gpg --gen-key

Make several copies your private and public keys. Use a strong password. Whenever possible use 400 permissions for the private key. You can give your public key to anyone ; in fact most people put them on a key server so other people can find the public keys to send encrypted e-mails.
PGP is great to encrypt files or e-mails so only designated recipients can read them. In this case, the entity encrypting the file and the recipient are the same person. Let's encrypt our archive:
gpg --encrypt --recipient 'Your Name or e-mail here' archivename.tar
or even shorter:
gpg -e -r NameOrEmail archivename.tar

You'll end up with a new file named "archivename.tar.gpg", encrypted. You can now delete the unencrypted version. 
Exercise: combine the archive creation, compression and encryption using pipes. Yes you can.

I would advise to check this page from NASA explaining how to use the AES256 cipher algorithm and how to use the compression flags of GPG.

Backing up your data with Amazon S3 Glacier and rsnapshot. A complete guide, Part 2.


(Part I is here)

Let's get our hands dirty!
It's time to make automated backups with rsnapshot.

Remember rsnapshot lets you access full backups while minimizing space and letting you access older versions of the files.

Install rsnapshot

Step 1 is to install rsnapshot on your system.

Configure rnapshot

rsnapshot can be configured to store files over the network and do pretty complicated stuff. It is in fact just a layer written in Perl on top of rsync and other common Linux commands.
The configuration file /etc/rsnapshot.conf will tell you plenty on how to configure the program. I just want you to pay attention to these points that are not that clear in tutorials and hard to find in the documentation:
  • Use TABS, not spaces. If like me your default in ViM is to replace tabs by spaces, you can temporarily disable this behavior for the current session (or file?) by typing ":set noexpandtab". It has to look stupid when you "cat" the file.
  • Folder paths must end with a slash. Always.
  • Look at the rsync man page for the exclusion patterns you can use.
  • The retain lines should be read like below. Do not try to interpret it otherwise, it would be wrong.

    retain hourly  4


    Keep only the four most recent versions of the job named "hourly". Only a few people know this but "hourly" doesn't mean anything for rsnapshot. You could replace it with "darkvader" if you wanted to.
    Here are incorrect ways to read the "retain" lines:
    "4" is not the number of times per hour the backup must be done.
    "hourly 0.5" doesn't mean the job will be executed every two days.
  • The retain lines must be declared from the most to the least frequent. So: hourly, daily, weekly, monthly, yearly.
  • Again, the job name (e.g. "daily") doesn't mean anything. You can remove any of them. For instance you could have it configured to keep the last 4 "hourly" jobs and the last 2 "monthly" jobs without mentioning "daily" and "weekly".
  • I repeat for the third time: the job name has no meaning. So if you put "daily" before "hourly", then the folders named "daily" will actually contain the "hourly" backups.

Rsnapshot will create the output folder if it doesn't exist. On Debian, the default path is /var/cache/rsnapshot. The folder will be owned by root and forbid anyone else to access it.

First run

The very first time, invoke rsnapshot manually as root from the command line (preferrably with screen) in verbose mode and see what happens:

rsnapshot -v hourly
where "hourly" is the name of the first retain job in the configuration. The very first run will take much longer than all the other afterward because it has to make all the copies. The next runs are faster because only the modified files get copied.

Schedule rsnapshot to run every hour / day / week / month ...


If all went well, you can now create a few cron tasks to run rsnapshot automatically. Type "crontab -e" as root and enter something like this (I will explain it below):

# m h  dom mon dow   command
  0 1,7,13,19 * * * /usr/bin/rsnapshot hourly
  0 2  *   *   *    /usr/bin/rsnapshot daily
  0 6  *    *   1   /usr/bin/rsnapshot weekly
  0 11 1    *   *   /usr/bin/rsnapshot monthly

Quit the crontab editor.

hourly: Instead of "*/6" to make an hourly backup every 6 hours, I didn't want the first one to run between midnight and 1 am because I know there are other cron jobs scheduled at that time. 
If you are keeping the last 4 "hourly" backups you probably want to make one every 6 hours. Does that make sense to you?

daily: There is one big risk with these cronjobs. It is that the hourly cronjob is not finished when you schedule the daily cronjob. In that case, the daily cronjob will be cancelled. I am pretty sure you can configure rsnapshot to run two jobs in parallel but I would advise against that. The best bet is to keep enough time for the "hourly" job to complete.

weekly: Same remark. Funny story, the value of "dow" can be [0 - 7]. Both "0" and "7" designate Sunday for portability reasons. Here "1" is for Monday. (You should probably run the weekly job in the week-end in a corporate environment.) In my case the job runs every Monday at 6 am.

monthly: Same remark regarding the hour (not too close from the other jobs). In my case the monthly job runs every 1st day of the month at 11 am. 

Trick question: How can you schedule a backup to run every 3 days instead of one and keep all of the backups from the past month? You must keep the daily and weekly backups.

In /etc/rsnapshot.conf:
retain everyotherday 10 
where "everyotherday" could be "gogglydoe", and 10 is 30 days divided by 3 days.
The line must go between "daily" and "weekly".

In the crontab: 
# m h  dom mon dow   command
  0 0  */3 *   *    /usr/bin/rsnapshot everyotherday

Enjoy the power of full backups

You know what's nice with full backups (or kind of, as rsnapshot uses hard links to avoid duplication) ?
You can browse the backup folders in /var/cache/rsnapshot just like the "live" folders!

Continue to Part III

Backing up your data with Amazon S3 Glacier and rsnapshot. A complete guide, Part 1.


In this first part I'll tell you when to consider Amazon Glacier or not, compare full backups to incremental backups, and explain why you shouldn't "put all files in the same basket".

When to consider Glacier, and when not

Glacier is a great storage solution offered by Amazon for about $0.012 per GB, supposing :

  • You want something cheap but reliable ;
  • You understand that by "Glacier" Amazon means that your files are frozen, it takes a while to get to the glacier and heat up your data so you can retrieve it ;-)
  • You almost never need to access the data from the server (doing so will cost you something, and you will have to wait about 4 hours before getting a download link) ;
  • You already have some primary backup storage (a second disk will do) where you can restore data immediately if needed ;
  • You understand that Glacier is only meant to protect your data in case of fire or other major events, not simply to restore a file deleted by mistake on the "live" storage ;
  • You don't plan to delete your files less than 90 days after uploading them (otherwise it will cost something) ;
  • You are OK with the principle of storing and retrieving archives instead of single files.

With these considerations in mind, if the delay (~4 hours) to retrieve your data is unacceptable you are looking at the wrong product, try regular Amazon S3 storage. It costs 3 times as much but it's no slower than downloading this web page.
In fact there are plenty of use cases where Amazon Glacier is not the right solution except if you are willing to accept its limitations.

Full backups and incremental backups explained

If you copy a folder with all the links (cp -a src dest), you are doing a full backup. If the source folder is 100 GB and you want to keep the backup for the last 7 days, you will need 700 GB of storage, and it will take 20 to 25 minutes to copy. If you have 1 TB, we are talking about 3 to 4 hours !

The nice thing about full backups is that you can browse the backup just like you would with the "live" copy because it's a plain old regular folder! There is no need to extract archives or to use the backup solution's command-line client.

But as you can see, full backups use a lot of storage and are not particularly quick. The alternative is incremental backups. Instead of making a whole copy of the source folder, you only do it the first time. The next time only the differences get saved. So if you add one character to a text file and that's all you did, the second backup is only 1 byte (I am simplifying but you get the idea). The technical term to describe this would be a "delta".
A good command-line program to make incremental backups is rdiff-backup. 
One big flaw of this system is that you can't access the files directly because the complete content of the file is splitted across backups. You will need to rebuild it from all the small pieces.
What incremental backup kind of people usually do is to create a full backup every other week or so to mitigate the problem.

My personal preference is rsnapshot. It's probably the best of both worlds. It gives you full backup-like folders while saving only the files that changed. So yes, if you change one byte in the file, a complete copy is made. That's the price to pay.

The little magic trick that rsnapshot uses is hard links. You see, when you list the content of a folder or you type rm somefile you are only dealing with a symbolic name to a record (also named "inode") on the file system (the i-node contains all sorts of metadata but not the name). It means two things: not only nothing is erased from the disk when you ask to "remove a file", but that you can have two filenames pointing at the same content on the disk. This principle is known as a "hard link".
A "symbolic link" on the other hand is the UN*X equivalent of shortcuts on Microsoft Windows. The "shortcut filename" points to an link-type i-node which points to the real i-node. If the real i-node marked as removed, the shortcut gets broken.
This means that rsnapshot never stores the same file with the same content more than once and explains why the very first time you run rsnapshot it takes much longer than say the exact same command run one hour later. That's why it is advised to run the first backup manually instead of letting cron do it, so you can verify it works like it should and because it takes a long time.

The dilemma

There is one problem with rsnapshot. If you make an archive of the last folder which is supposed to be only a few megabytes bigger than the folder from an hour ago, you end up with the full 100 GB backup. You can send it on Glacier and it will be great because when the time comes, you'll get a full copy requiring almost no more work than extracting it.
The bad news: you will need to pay to store the same file again and again.

Incremental backups are much less practical to store on Glacier. First you have to keep a log of some sort to know when you stored the first version of the file and where are all deltas you need to build the version of the file you are interested in. This is very complex and cannot be done by hand.

Not all files are born equal

I have 200 GB of data to backup. But here's the thing: you are probably like me, 90 % of it is made of files that never change and take a lot of space. These can be photos and videos. They never change and "incremental backups" are useless on that kind of files.
You must be very picky when choosing the folders you want to automatically backup.
This way you don't make useless copies of files you know will never change and you reduce your costs.

Stuff you are working on gets royal privileges

I've got two requirements regarding files related to projects I am currently working on: there must be at least two copies accessible immediately and they must be synchronized as often as possible.
This can be achieved with versioning systems such as Git if you are working on code, or with Dropbox, Copy, Box, OwnCloud, ... for everything else.
If anything happens to my laptop, I can open a browser on another computer and access my files in less than a minute.
You think that's excessive? Imagine you are in a rush and you have only a few (dozen) minutes to print a paper, a Master thesis, the e-ticket for your flight in 3 hours, the PowerPoint presentation that begins in 10 minutes...

There's a rule of thumb in the storage world:
The more often the data needs to be accessed, the fastest the retrieval, and the higher the cost.

You should still save these files in the "slow backup system" because you shouldn't trust Dropbox and alike to have multiple copies of your files in several locations and they usually delete the old versions after a few months.

Continue to Part II

Saturday, January 24, 2015

Linux firewall and DLNA server


MediaTomb is a DLNA server on Linux that is great to stream movies and music from a NAS or any network storage to a TV or any compatible device.

The server magically appears on the TV, and from there you can browse the disk for media. Its one big flaw: there is no authentication. Anybody on the network can not only see that you have a DLNA server running, but also watch all your content.

There are many tutorials out there to explain you how to setup MediaTomb (which is simple thanks to its Web interface and one change in the XML configuration to enable some authentication on the web page).

What you don't find is how to prevent people from seeing the DLNA server and watching the content.
This can be done easily, supposing the IP address of the client (such as a TV) never changes.

Simply add the appropriate rules in Netfilter to allow the one client to access the server, and block traffic for everyone else:

In my configuration, the default policy for the INPUT chain is DROP. Rule number 3 allows anybody from the network to access services on the server (which is not that secure, but well...). You can look at the line numbers by typing iptables -vnL --line-number. (no s at the end)

To only let 172.16.0.123 to access MediaTomb:

iptables -I INPUT 3 -i eth1 -p udp --dport 1900 -d 172.16.0.123 -j ACCEPT
iptables -I INPUT 4 -i eth1 -p tcp --dport 1900 -d 172.16.0.123 -j ACCEPT
iptables -I INPUT 5 -i eth1 -p tcp --dport 1900 -j DROP
iptables -I INPUT 6 -i eth1 -p udp --dport 1900 -j DROP

You can do the same for the web configuration interface but I didn't bother because the username / password that can be set. I let this exercise for you. (The IP address will be your computer's).

Note : There is probably a way to specify a port both for TCP and UDP in the same rule, but I couldn't find it.
Also, eth1 is my LAN network interface. For this interface everything but DLNA is accepted. With the WAN interface, accepted traffic is an exception, so there was no need to write new rules.

DHCP subnet based on vendor in MAC address


As a network administrator you are probably doing some network segmentation, where you have internal servers in one subnet, IP phones in another, and so on.
You should probably use VLANs if you don't want these devices to "see" each other. But in other cases you only need to put them in a separate subnet and/or dynamically assign them particular IP addresses.

As you might know, half of the MAC address is dedicated to the hardware vendor. If you are running a DHCP server such as the ISC DHCP Server on *nix, you can have devices from one vendor use a particular subnet / IP range.

Edit /etc/dhcp/dhcpd.conf:

Watch a folder and send files by e-mail


My printer is able to convert faxes to PDF documents and save these documents on a network folder.
From there I could do many things. But I need to watch for new documents in a folder.

But first let's setup the Windows / Samba network folder.

Shared folder with Samba



The comment is shown in the file explorer. browseable tells if the folder is listed, and writeable is useful to write and (more interestingly in this case) delete files.
valid users can contain users or groups (prefixed with @) that have the permission to read and (if applicable) write to the folder.
create mask is required because the folder is meant to be shared to a group instead of belonging to a single user. Use 0750 if you only want the creator of the file to be able to remove the file.

I created a sambausers group on my machine and put the appropriate users in it.. Remember you need a system account for each user, and that you need to configure each account through smbpasswd. By the way you can configure Samba with a database or LDAP if you like.

You need to make a new directory and let the sambausers group own it and have read / write / execute (chmod g+rwx) on it. The execute permission on the folder is needed so you can create files in the folder.

Restart Samba. Check you can access the folder from your file manager with the appropriate credentials.

Watch directories on your file system

One great way to do this is the incron daemon. It lets you setup cron-like tasks to execute a shell script or any executable program whenever a change is detected in the folder.

Install incron on your system.

Login with a user with permissions to read files from the shared folder on your Linux box. You can sudo -i -u theUser.

Open man incrontab in one terminal window.
In another window, fire up incrontab -e to edit the tasks associated with the user.
I have mine configured with /srv/shr/IncomingFax IN_CREATE /home/myuser/somescript.sh
You can watch for other events, just read the manual you just opened!

Now everytime a file is created in the IncomingFax folder the script will be executed.

E-mail the file just added

Here is an example of the shell script that I use. It might not be the smartest way to do what it does (particularly because the information of the file added is lost in the process because of how incron works)


The script holds its "state" by using a ".lastfile" because it might happen that the script is executed several times with the same document. I don't know why it does that, I think it's an issue with the printer. You might not need to do that.
Also I happen to have a log file to log what happens with the script. You might not want that either. What you might like though is to verify the extension of the file. Note that the filesystem is case-sensitive so ".PDF" files won't be matched.

Make sure you have mutt installed. It's a bit complicated to send attachments. Sendmail is not enough. Note you can attach several files at once. The argument to the echo command is the message body, and what comes after "-s" is the message subject.
I purposedly let this example in French as a reminder that it is safer to avoid any other encoding than pure ASCII. There has to be a way to cope with UTF-8 but I didn't have time to investigate that issue.

This script has (at least) one limitation. I should actually rewrite it to make it more robust. I am assuming it takes less than 5 seconds for the printer to transfer the file. After 5 seconds I send the file by e-mail. There would be ways to know if the transfer is finished:
  • Use a program to read the file. That program probably knows if it's valid.
  • Wait until the file size has been constant for some time. Then we can assume the transfer is finished.
  • If there are a lot of transfers, we can assume the before-last file was completely transferred when we detect a new file.


There you go. We can now look at a folder, filter files by extension, and send the new file by e-mail.

Saturday, January 17, 2015

Secure e-mail and encrypted files


In the last article I explained that you should encrypt your traffic. The article was focused on web browsing.

With emails it's a another story.

Web traffic is like a phone conversation that can be tapped. Email is like regular mail. You don't even have a direct connection with the recipient.

Like regular mail, emails are "routed". You send them from your computer to your email provider, then your e-mail provider sends it to the mail server responsible for the recipient domain, and from there it may possibly be sent again to a mailbox server (e.g. IMAP server).

While it's always a good idea to send your e-mails using a secure SMTP connection, your email provider might not do so with the recipient email server.

Furthermore, while web traffic is volatile, emails are stored on hard drives and are more likely to contain sensitive information. It's very easy for say anyone with access to these servers (such as your boss, the email providers and the government) to look at your emails.

The solution to this problem can actually be used for almost anything and is not new technology at all.
This technology is Asymmetric cryptography. (It's asymmetric because the encryption and decryption keys are not the same. The decryption key can be sent to anyone and are usually published on opened websites. In fact they are not really encryption or decryption key, we'd better call them private and public keys.)

It can take two forms: PGP (with implementations such as GnuPG), the preferred solution,  or digital signatures / certificates (known as S/MIME).

I will list the advantages of using asymmetric cryptography, and a few drawbacks.

Pros


  • Only the sender and the recipient can look at the data. For people in the middle, it's just gibberish.
  • You encrypt the data for one recipient only. Even if someone else has the decryption key, it would be useless because the e-mail was encrypted with their public key so only them can decrypt it with their private key and your public key.
  • The recipient can verify the identity of the sender and know for sure only someone with the proper private key and the password to that key could have sent the email.
  • Same thing, but it's possible to verify while not encrypting if the data is not sensitive except you want to make sure you created it. It's useful for software so you don't download a counterfeit copy with security holes.
  • Can be used to encrypt anything, any sequence of bytes, including files or your whole home directory.

Cons

  • That you already knew: if you use a weak password for the private key or use it on more than one application / website, then you achieve no security.
  • The recipient needs to use PGP or S/MIME so that the message gets encrypted and they can decrypt / verify it. So your recipient needs to be as tech-savvy as much as you are.
  • Even though there are some solutions for mobile devices and webmails, the solutions are never as good as say the Enigmail extension for Thunderbird.
  • It's very easy to lost your private key but it's risky to make copies. See the problem?

The insecure Web and the Dark Net

Prison guards are looking at your Internet traffic

I cannot stress enough the fact that you should encrypt your traffic as much as possible.
This includes web browsing, e-mail, instant messaging and so on.

You see, unencrypted traffic is like letters sent from prisons. People are looking at it. It can be the police monitoring criminal activities, but also the police monitoring the regular John Doe that did nothing wrong, your Internet provider or your boss.
It's how the Internet works. Packets gets routed from router to router until they reach their destination. Along the way anyone can look at the data if it is sent in clear.


How to protect against these spies

HTTPS

There are several ways (that can be combined) to make your browsing more secure.
Number 1 is HTTPS. While "sniffers" can still know who you are contacting (and block the communication), they don't know what your are sending.
The traffic is encrypted so that only your computer and the final server (such as your banking web application) can see the data in clear.
BEWARE: if you are using a company computer, there are chances that they installed their own certificate and that what you believe is encrypted is actually not. There are ways to check this.

The problem with HTTPS is that not all websites offer it.
Some sites are HTTP-only. You will need something more complicated, but you are basically screwed.
Some sites are HTTPS-only. These are the best kind.
Some sites offer HTTPS but you have to ask for it explicitely. For these sites I strongly suggest using HTTPS Anywhere, a browser extension that connects you to the HTTPS version when one is available.

Proxies

While proxies won't encrypt unencrypted traffic, they can be effective when some firewall is blocking you access to a website. You see, the biggest concern for your network provider, for instance your school WiFi network or the McDonald's WiFi is not really that you are visiting a website they don't like. It's because they know the government is spying on them, and if the spies find something then the company is accountable and will in the newspapers or maybe even involved in a trial.

The idea is that the connection must seem to come from another point on the Internet. This can be achieved using proxies. There are lists of proxies that you can use for free as well as paid solutions providing a greater bandwidth.
However they are easy to detect because then all your traffic will go to one IP address, and some proxies even show your real IP address to the receiver.

If you have a SSH connection to a remote host, you can simply use it to redirect your traffic:

ssh -L 1234:the-website.com:80 user@host

Then you can access the website with http://localhost:1234/
But that sometimes doesn't work because many websites use fully qualified links and use other domains.

Tor

Tor is a very complex network / technology that is not only secure but hides your traffic, making it hard to detect, provided you follow other rules and pay attention to your Internet activity.

The same goes for...

I2P

Another technology, probably even better as it uses different paths for the packets sent and received and this network path can change for every packet if needed.

Tor is the older project. Both protocols / networks are associated with the DarkNet. Until recently a website known as Silk's Road on Tor made millions of drug transactions. Buying weed was as simple as ordering the new iPhone online. You would receive your package at home no question asked in a discrete typical business package.
And this is nothing compared to other things you can do on the dark net: hire hackers, hitmen, buy guns, fake ID cards, stolen credit cards and other info.
Because of course these transactions would be detected with PayPal for instance, all these websites use the Bitcoin peer-to-peer money. (It's peer to peer but there is a log file storing all transactions, but even if the user IDs are supposed to be anonymous, it isn't hard to analyze the data and associate people with the transactions.)

Don't take me wrong, I think Bitcoin is a great idea! But it's a shame it's used like this though...

But they are very effective because the connection is untraceable and encrypted along the way (except if the website at the end is on the regular open Internet and doesn't use HTTPS).
To use Tor all you need is to download the Tor browser.

In another article I will explain you how you can achieve secure e-mail.

Friday, January 2, 2015

VirtualBox headless server setup


UPDATE: For day-to-day operations, you can use these handy aliases.

It might be interesting in some scenarios to have a virtual machine running on a headless server.
If you don't have thousands of dollars to spend on VMware vSphere or similar commercial solutions you can do it for free, if you don't mind the command-line.
And once you've created one you can simply clone it and it's not much longer than clicking buttons on a web interface...
Also, except for Oracle's implementation of the VRDP server (a cousin of the VNC protocol), the solution is entirely based on open source software if that is something important for you.

If you are really allergic to the command-line or you want to let sane human people use your "VM server", you might want to give a look at unofficial solutions such as

  • phpVirtualBox (web-based, includes a RDP client as a Java applet)
  • RemoteBox (heavy client on your workstation, makes it easier to connect with RDP)
Both solutions try to imitate the official GUI application, so you should be feeling at home with either of them. Note phpVirtualBox might be insecure and dangerous. You should restrict its access using HTTPS and Basic Authentication. See also: Apache's "allow from ..." parameter to restrict by the client IP address or subnet.



My setup

Host: Debian 7.7, 64-bit
Guest: Windows 8.1, 64-bit. It will be named "Windows8.1_x64". The setup is similar for other operating systems.
Packages: VirtualBox 4.3 with guest additions, DKMS

VirtualBox package

Although VirtualBox is available through official Debian repositories, the version there is usually out-of-date and it can make things complicated with newer versions of guest OSes or it might be hard to find older versions of the VirtualBox extension pack.

As root (or using a combination of tee and sudo):
# echo "deb http://download.virtualbox.org/virtualbox/debian wheezy contrib" > /etc/apt/sources.list.d/virtualbox.list
# wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | apt-key add -
# apt-get install virtualbox-4.3 dkms

Note: When I tried it APT was so slow I downloaded the file with a web browser directly and installed it with dpkg.

DKMS

Make sure you installed dkms as shown in the previous section. Otherwise you will have to re-compile and re-install the VirtualBox kernel module after every update of your kernel.

DKMS is a general-purpose package maintained by the "Dynamic Kernel Modules Support Team" at Debian. It doesn't come from Oracle / with VirtualBox.

VirtualBox extension pack

The extension pack is required for many features such as the VRDP server (VRDP is similar to VNC) and the guest tools.

Download the pack from the VirtualBox website: https://www.virtualbox.org/wiki/Downloads
The link is titled "All supported platforms". Once you've read the license, you can download with wget:
$ wget "http://download.virtualbox.org/virtualbox/4.3.SOMETHING/Oracle_VM_VirtualBox_Extension_Pack-4.3.DO_NOT_COPY_THIS_LINK.vbox-extpack"
DO NOT COPY THIS LINK. This command is only given for reference. Copy the link from the website instead.

Install the extension pack as root:
# VBoxManage extpack install *.vbox-extpack

Creating a naked virtual machine

The rest of the tutorial can and should be done not as root but as a regular user. It doesn't even seem like membership to the "vboxusers" group is required.
$ VBoxManage createvm --name Windows8.1_x64 --register
or
$ VBoxManage createvm --name Windows8.1_x64
$ VBoxManage registervm "$HOME/VirtualBox VMs/Windows8.1_x64/Windows8.1_x64.vbox"
Both commands will create the directory above. I advise you to put all your files there, except maybe for the installation disk image.

Let's set a few options on the VM:
$ VBoxManage modifyvm Windows8.1_x64 --ostype Windows8_64 --memory 4096 --vram 128 --nic1 nat --nictype1 82540EM

The list of os types can be obtained using VBoxManage list ostypes.
The (RAM) memory is given in MB. VRAM stands for "Video RAM" (I think this parameter's default value is 128 MB). Note the NIC type is "8254 ZERO EM". I need to research on this but although 82540EM is compatible with most guest OSes,  

NIC type virtio is a better choice if the guest OS supports it as it offers better performance.
UPDATE: Windows 8.1 is not compatible with virtio.


Bridged mode

Bridged mode is useful if you want to communicate with the VM from any device on your network.
This mode is particularly useful for SSH connections.
The default NAT mode hides the VM from the network, so it looks like the network traffic is coming from your host machine.

To enable it, type VBoxManage modifyvm Windows8.1_x64 --nic1 bridged --bridgeadapter1 eth0.
eth0 is the interface connected to the network you'd like to access the VM from.
Note modern systems bundled with systemd now use a predictable naming scheme for interface names and the name will be usually something like enp5s0 (ethernet) or wlp3s0 (wireless).

Either way try ip addr if you are not sure...

Hard drive

As you may or may not know, hard drives live independently from virtual machines in VirtualBox, hence the existence of the "Virtual Media Manager" in VirtualBox's GUI.
For this reason we need to create the drive first and attach it to the virtual machine later.
This feature is also nice when you wish to play with a virtual RAID setup by "disconnecting" drives.

I suggest installing the hard drive alongside the other files of the VM:
$ cd VirtualBox\ VMs/Windows8.1_x64
To create a 50 GB hard drive:
$ VBoxManage createhd --filename Windows8.1_x64.vdi --size 50000
Note 1: The file is created in the current directory.

Note 2: The file won't use 50 GB until the virtual disk is actually full. Remember it can be full even if Windows still shows available space due to fragmentation on FAT and NTFS partitions.
When copying virtual hard drives I suggest defragmenting it first and then compacting the VDI (Virtual Disk Image) file with VBoxManage modifyhd ...filename... --compact

To attach the drive to the virtual machine we first need to create a SATA controller:
$ VBoxManage storagectl Windows8.1_x64 --name SATA --add sata --controller IntelAhci --bootable on
Then we can attach the disk:
$ VBoxManage storageattach Windows8.1_x64 --storagectl SATA --port 0 --device 0 --type hdd --medium "$(pwd)"/"Windows8.1_x64.vdi"
Important: The last argument must be an absolute path (you can safely copy and paste the last command if you copied and pasted the first two commands of this section).

Installation medium

Locate your ISO image of the Windows installation disk.

For some reason optical disk drives need to be attached to an IDE controller. Let's add one:
$ VBoxManage storagectl Windows8.1_x64 --name IDE --add ide --controller PIIX4
Then we can attach the image to the controller:
$ VBoxManage storageattach Windows8.1_x64 --storagectl IDE --port 0 --device 0 --type dvddrive --medium /absolute/path/to/your/windows8_disk.iso

Replace the ISO image path with emptydrive to eject the medium.

Make the system boot on the DVD:
$ VBoxManage modifyvm Windows8.1_x64 --boot1 dvd

Configure the VRDP port (optional, 3389 by default)

If you are running several virtual machines at the same time you want to change the VRDP port of the VM with
$ VBoxManage modifyvm Windows8.1_x64 --vrdeport 5012 --vrde on

The option --vrdeaddress 192.168.0.1 (or whatever) is also available and might be useful if you don't use a firewall.

Windows 8 specific configuration

Windows 8 will start but the installer will complain with obscure error codes (0x00000225) with the options set to far. We need a few more:
$ VBoxManage modifyvm Windows8.1_x64 --pae on --ioapic on

In fact you probably want to enable PAE/NX with any guest OS.

There is a problem with the mouse cursors from the Aero theme. To solve it use the "(None)" theme with no shadow.

Starting the VM

It is now time to start the VM. Although you can also use VBoxHeadless that shows errors and warnings, I prefer the following command that forks and runs the VM as a daemon process:
$ VBoxManage startvm Windows8.1_x64 --type headless

Connecting from your workstation

Note for Linux guest OSes: If you want to install a Linux guest you won't be able to connect to it with SSH (some distributions enable this mode of installation) as long as the NIC type is set to NAT. You can change it to another supported mode and configure the interface accordingly or connect to the virtual machine (which will be needed if you intend to run an installer) using the same method as for the Windows installation described here.

Make sure the VRDP server is started and listening for connections on the appropriate port:
# netstat -tlpn | grep VBoxHeadless

Connect from your workstation using your preferred RDP client, for instance for the KDE Remote Desktop Client (krdc):
$ krdc rdp://your-server-ip:3389

Press "Cancel" when asked for a password.
Otherwise install and run rdesktop:
$ rdesktop -a 16 -N your-server-ip:3389

Put IPv6 addresses between brackets [2a00:...]:3389

The Windows 8.1 installer uses a resolution of 1024x768. rdesktop will select it automatically.

rdesktop worked fined on Ubuntu 14.04 but on Arch Linux I could only use FreeRDP:



CAVEAT: My mouse pointer was off. This is corrected with the guest additions but of course you can only install them after Windows... Try to put the pointer at one of the edge of the screen to make matters marginally better. You can also use the keyboard.

Installing the Guest additions

The guest additions is simply a DVD that comes with the extension pack.

But before loading the drive (I already showed you the technique, remember?), power off the machine, either with one of VBoxManage controlvm arguments or from the guest OS.

Afterward we can take a look at the options set on the VM:
$ VBoxManage showvminfo Windows8.1_x64

For instance, near the line "IDE (0, 0)" you will see that the Windows installation DVD was unmounted.

Let's mount the Guest additions DVD:
$ VBoxManage modifyvm Windows8.1_x64 --dvd /usr/share/virtualbox/VBoxGuestAdditions.iso

and start the VM with the method shown earlier.

Install the guest additions from the guest OS by locating the DVD drive and firing up the installer.

Reboot.
The "mouse bug" should be fixed now.

Performance optimizations

If you use KRDC, select 16 bit color depth and select "Connection type: Broadband".

Disable the visual effects using this method:
http://www.thewindowsclub.com/disable-visual-effects-windows
My favorite options:

Windows still looks natural but everything is much smoother.

You can also use a smaller resolution and less colors (8 bit instead of 16 or 24) in your RDP client.

Choosing a solid color desktop background also speeds things up.


Quick startup and shutdown

To make Windows boot or shutdown quickly, do not boot it up or shut it down ;-)

Use Virtualbox "save state" feature instead:
$ VBoxManage controlvm Windows8.1_x64 savestate
$ VBoxManage startvm Windows8.1_x64 --headless

You can also "reset", "poweroff" or "discardstate" if appropriate. These are dangerous options similar to pulling off the plug of a physical computer. Use them only if the guest OS didn't power off the machine after shutdown (80-90s style) or the OS froze.
You can also "pause" or "resume" the guest OS temporarily.

I always "savestate" a Windows guest OS when I am not using it because I've noticed Windows or one app or another is writing and reading on the disk all the time. This reduces performance of the host OS and wears the drive, shortening its life.

To shutdown the system cleanly, supposing there is no unsaved work (if there is, the shutdown will be cancelled):
$ VBoxManage controlvm Windows8.1_x64 acpipowerbutton

Security

See the VirtualBox manual link at the end of this tutorial to set up a proper authentication method.
Here is a quick how-to:
$ VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"
$ VBoxManage modifyvm Windows8.1_x64 --vrdeauthtype external
$ VBoxManage setextradata Windows8.1_x64 "VBoxAuthSimple/users/YOUR_RDP_USERNAME" $(VBoxManage internalcommands passwordhash "YOUR_RDP_PASSWORD" | awk '{print $3;}')
Change the user and password with one of your choice.
krdcwill ask for your password, but with rdesktop you need to provide it on the command-line:
$ rdesktop -a 16 -N YOUR_SERVER_IP:3389 -u YOU_RDP_USER -p YOUR_RDP_PASSWORD -r sound:off -x l -z -P
(Here I used a few other options such as optimization for LAN connections, compression, no sound...)
For FreeRDP:
$ xfreerdp /v:YOUR_SERVER_IP:3389 /u:YOUR_RDP_USER /p:YOUR_RDP_PASSWORD -toggle-fullscreen /bpp:16 /w:1808 /h:1017 +auto-reconnect
(Here the options are: 16 bit graphics (65536 colors), and a custom resolution. "+auto-reconnect" is supposed to re-connect automatically, but to be honest it doesn't really work. YMMV...)

With Windows' Remote Desktop Connection utility, you need to click "Show options" and then the option about credentials. After you've connected once, your credentials will be saved.

Cool stuff


There are plenty of cool stuff such as Remote USB that you can do. Make sure to check out the VirtualBox user manual.

Your Feedback counts!

Please comment below if you have any remark, question or suggestion or if you liked this tutorial.