I.T. Security and Linux Administration

July 31, 2013  1:20 PM

What My Linux is Like: Terminal (desktop+laptop)

Eric Hansen Eric Hansen Profile: Eric Hansen

This was the biggest point of me moving away from Awesome3 for my PC.  I don’t use my netbook often enough for it to really effect me, but my PC is used virtually 24/7 (at least it feels like it).  As such, I had to find something that worked more in my favor.  I always loved Konsole, and it plays nicely with what I like (easy shortcut keys, not Gnome, works without having to customize it much).

The problem is with my netbook I got used to Stjerm, which basically emulated Quake-style console where you hit a key and it drops down, hit it again and it rolls back up.  I loved this feature, and luckily someone emulated it in KDE as well.  This is where Yakuake makes me a happy Linux user.

It doesn’t take a lot to get Yakuake up and running, its basically just a container of sorts for Konsole but adds some extra eye candy to make it a bit pleasing.  Pretty cool, huh?

Stjerm on the other hand requires some slight work to get it working.  While it can be simple run ad play, if you want anything customized from what I found you have to pass arguments to it.

July 31, 2013  1:12 PM

What My Linux is Like: The Distro (desktop+laptop)

Eric Hansen Eric Hansen Profile: Eric Hansen

A little series I thought I would start detailing various aspects of what my daily uses of Linux are, including the distro, programs, tools, etc… and why.  Sounds fun, no?

The one will cover the distro, and since I use it for both my PC and netbook (aka laptop in this), I’ll join it into one.  I’ll also cover the window manager and all that pretty stuff, next will go into the specific programs I use to make my life easier (i.e.: terminal, text editor, etc…).

My systems have Arch Linux installed.  For my netbook, its a prime candidate for it, as I only have 160GB of space and 1GB of RAM,  I didn’t want to fuss around with Ubuntu, Fedora, etc…  My desktop, while I only have 250 GB of space, it has 8GB of RAM (why?  because I wanted to max out my board, even though I’m only ever using ~5-30% of it, depending on what I’m doing).

The “funny” part though is that I’ve ended up working with two different environments from my laptop to my desktop.  My laptop uses the Awesome3 (aka Awesome) window manager, and it works well because the touch pad mouse annoys me greatly, and I’m too lazy to get a spare USB mouse.  Awesome is a keyboard-driven tiling window manager that fits in nicely for those who also want extremely fine-grained control over how they use their computer.  It is very easy to customize and theme, and virtually everything can be modified.

Now, for my desktop.  This one is a little bit different because I started out with Awesome as well, but I couldn’t find a good enough terminal to use.  What I ended up doing is just installing KDE, and I’ve been happy with that since, actually.  Sure it comes with a good amount of bloatware too, but…well, knowing me I’ll just be reformatting and fixing things up anyways come fall (I tend to reformat every 6 months for no other reason than just because).

May 31, 2013  6:56 PM

Dynamic or static website?

Eric Hansen Eric Hansen Profile: Eric Hansen

Should you run a dynamic or static website?  Its typically a tough call.  Dynamic sites offer a lot of functionality that, for obvious reasons, you don’t get in a static version.  However, there are some things to consider:

1.  Dynamic sites end up giving a lot more overhead and resource usage from your server (not good if you plan on running multiple sites on one server)

2.  Static sites, while may not have search functionality, can still provide other options like a tag cloud (just make sure you use good tags is all)

3.  Dynamic sites are more vulnerable to security issues opening up a flood gate to hackers entering your server

#3 is the biggest concern I have.  WordPress, for example, is an amazing piece of software for blogging…and now website management.  Its not hard to install a theme, plop a plugin or two in, add some pages and make a blog post welcoming the world.  Static sites, however, can be very tedious to work with, even if you template-ize the whole thing (i.e.: put common code in separate files and include that at run time).

What does that have to do with security?  Everything.  WordPress has been hot under the gun lately for some security issues, as well as Drupal having some issues not too long ago (though not with their software…yet).

In rebuilding my business’ website, I had to sit down and really think about what was used and not-so-used.  I didn’t make a lot of blog posts, no one commented, and for all intents and purposes the page design broke in different instances.  Basically  I had a set up that was using around 50MB of RAM (Apache2 + PHP + MySQL), powering WordPress, and was doing nothing that its intended for.  So what if I cut all that down?

If someone wants to comment, I have Disqus available.  Now the main focus on the site is not about blog posts, but about what my business offers.  I can still use Apache, but why?  Sure I might need it for my CMS (client management system), but my website won’t need it.  Install Nginx, have that serve the static content, off-load everything else to Apache via proxy and be happy.  Apache won’t be trying to do so much with the disk and resources now, and I’m able to improve speed performance by not running my rarely-modified files through a pre-processor (i.e.: PHP).

May 31, 2013  2:56 PM

Outlook.com vs. GMail : Part 2 – Sending Emails

Eric Hansen Eric Hansen Profile: Eric Hansen

Besides mentioning the whole GMail IM-email concept that I stated my dislike for in part 1, there’s some points to make about both in terms of composing email.

Lets take GMail’s full window composing version for this, as an equal comparison.  It was nice, but it threw a whole lot of things into your face.  You had about 20 options in front of you before you even started typing a recipient or anything.  Which, for a user who wants to customize the heck out an email is great.  But, when you just want to type up a quick “how do you do” email, why?

Outlook, on the other hand, sets it up pretty neatly.  The left side has the recipients and the right side allows you to set the subject, some formatting tools and then the body.  Plain, simple, easy to manage.

Google’s IM mail offers sort of the similar feature set, but its layered into menus.  So, if you want to remove the formatting, you have to click the “A” symbol, wait for the menu, then click on the format remover option.

The recipient area is quite similar in that you can type in the name or email and it’ll populate a list for you.  One thing that does bother me though about Outlook is that it lists frequent people you email.  I understand the logic as to why, but I do feel it can be a privacy concern if you are emailing someone that you don’t want others to know, or don’t want others to easily see the email address of.

May 31, 2013  1:43 PM

Authenticate with Picaso

Eric Hansen Eric Hansen Profile: Eric Hansen

In my SSH Picaso post, I mentioned about how the fingerprint is displayed as ASCII art.  But what if we took that a step further?  What if that ASCII art was our password?

The fingerprint of a keyfile is supposed to be as unique as the keyfile itself, as its derived from the data, right?  Who is to say then that we cannot compare arts and match what we have stored with what we received?  The article I linked to in the post made a good attempt at doing similar with GPG, and I commend the author in it.  But what about SSH?

Sure, public key authentication is amazing, but what if it isn’t good enough anymore?  What if we have to end up encrypting those files via GPG to make it secure?  There’s a lot of what if’s but not that many answers.

This would also open the doors of storing ASCII art in the database instead of hashes for passwords, and using the password itself as the fingerprint.  Of course it’d still have to be salted to reduce collision, but its one more method that could be useful.

May 31, 2013  1:10 PM

The SSH Picaso

Eric Hansen Eric Hansen Profile: Eric Hansen

If you’ve ever created a SSH keypair, you’ve been graced with SSH’s artistic abilities.  You know, that little character map that shows you the key’s fingerprint:

➜  ~  ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/eric/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/eric/.ssh/id_rsa.
Your public key has been saved in /home/eric/.ssh/id_rsa.pub.
The key fingerprint is:
08:48:6e:8a:6a:14:5d:58:d3:10:54:f2:7b:e0:33:0c eric@home
The key's randomart image is:
+--[ RSA 2048]----+
|  . +O=.         |
| o.o. +.         |
| .+..E o         |
|.o.  .+.o        |
|o.    .*S.       |
|o       +        |
|..               |
|.                |
|                 |

I found an article that goes into detail about how this is created, and its rather interesting.  Basically what’s going on behind the scenes is it’s taking the key (in this case: “08:48:6e:8a:6a:14:5d:58:d3:10:54:f2:7b:e0:33:0c”), and converting each pair (“08″, “48″, etc…) into binary.  it then takes each pair, and reads the binary in reverse order (so 08 = 00001000 = 00010000).  After that, its broken off into pairs again (so it is handling either 00, 01, 10 or 11 in binary).

The board you see is basically the board you get.  The concept behind it is to show you how frequent a value exists.  Each character represents a specific frequency at that location:

0 - " "
1 - "."
2 - "o"
3 - "+"
4 - "="
5 - "*"
6 - "B"
7 - "O"
8 - "X"
9 - "@"
10 - "%"
11 - "&"
12 - "#"
13 - "/"
14 - "^"

The S and E you see there stand for where the art generator started and ended.

Now, there’s some mathematics behind how the board sets the position and such, and the analogy that the SSH devs used to explain this is a lot better (drunk bishop).  The article I read that covered this a little bit more than me can be read here: http://pthree.org/2013/05/30/openssh-keys-and-the-drunken-bishop/

May 31, 2013  12:23 PM

Leaking information through API

Eric Hansen Eric Hansen Profile: Eric Hansen

I’ll be honest, I was torn on whether to post about this or not.  On one hand its perfect for this blog as it mentions security…on the other hand, it kind of opens up new doors for stalkers.  But, here I go.

I’ve never heard of this service before, but apparently there’s a social media website out there called Skout, which basically is a 4square service for meeting up.  There was a recent article though on a blog (http://corte.si/posts/security/skout/index.html) that mentioned that Skout was sending back more in the API than they should.  Namely the concern was the geographical coordinates of the user (longitude and latitude).

This issue has been resolved, but it got me wondering, what other services leak such sensitive information?  I know Facebook’s tagging system works by ID, but what about when its trying to find your location?  It goes through your phone’s GPS system, that’s sent over the air, nothing is saying that the data is encrypted.  Its one reason why I prefer open-source, but that’s a different topic.

When you create an API for your service, whether it be web or not, you have to consider what you are returning as well as receiving.  If you’re going to just dump the records into a JSON object and return it, then why not just let the user have free reign over your server?  You’re essentially doing the same thing.  Not to mention, returning only what you need speeds up the process.

May 30, 2013  7:03 PM


Eric Hansen Eric Hansen Profile: Eric Hansen

There’s a crowdfunding project here: http://www.indiegogo.com/projects/fund-safe-guns that is for the creation of smart gun development.  Basically, the government’s new proposed gun control method is bio-metrics on guns.

I’m not going into politics or my point of view on gun control, but I don’t see how this is going to make things better.  The idea itself is interesting and better than RFID (I can’t see someone having to wave a RFID card at their gun to fire), but it doesn’t solve the issue of who fired the bullet.  It only reduces the chance of the gun being used by someone other than its owner.

May 30, 2013  6:43 PM

“Malware in your system? Good”

Eric Hansen Eric Hansen Profile: Eric Hansen

Who really thinks that allowing to protect IP (intellectual property) by locking it in with malware is such a great idea?  Who?!

Basically the idea is to stop pirating software and people stealing software and other IP.  The law would give the creator rights to basically have a backdoor to the violator’s machine and network, photograph the hacker, ruin their network or their machine, etc…

This is a small post but really, there’s not much to say about it.  Why?  Why would you want to put more money into something that is not going to stop “hackers” from hacking?  That’s like throwing a steak at a dog and telling him not to eat it.

If you want to read more information on this, go here: https://www.techdirt.com/articles/20130527/21352923220/dumb-idea-dumbest-idea-letting-companies-use-malware-against-infringers.shtml

May 30, 2013  5:54 PM

Outlook.com vs. GMail : Part 1 – Why

Eric Hansen Eric Hansen Profile: Eric Hansen

A while ago Google announced its discontinuation of the free tier of Google Apps (basically Google providing email, storage space, etc…) free to businesses.  It also so happened that within the next couple of months, Microsoft announced Outlook.com, which was set to take the place of GMail (without specifically stating it).

Yes, I’m a Linux fan, but this isn’t a matter of Windows vs. Linux, its a matter of usability.  Which service am I more happy with?  I can use either or just fine regardless of the operating system I’m using.

GMail used to be the coupe de grace when it came to email.  If you didn’t have a GMail invite, you weren’t cool.  Heck, people were selling them everywhere (even eBay I believe).  It was a mad rush and everyone was wanting to get in on the next big thing, just like Facebook vs. MySpace.  I loved the easy design, and the functionality was just what I was looking for.  I didn’t want to use the SquirrelMail of my ISP anymore, and GMail was the best ticket ever.

Then the Labs feature came out, along with themes.  While I wasn’t crazy about the themes,  I thought it was a nice touch.  The Labs option was nice as well, basically bleeding edge trial and error of what you might be able to expect next for your mailbox.  Some of them were nice, others were pointless for my use.  At least it gave me the option of disabling  ones I didn’t want, however.

After that came IMAP support, which sent me into heaven.  No longer did I have to keep a backup copy of my entire inbox on my machine.  Nope, I could instead just mirror a list locally and reference emails when need-be.  The threading was pretty nicely done too.

Whats that?  Oh yeah, ads.  Well, they weren’t bad first.  A simple bar at the top giving some user-targeted ads, why not?  But wait…there’s more!  Now they get placed on the sides of the email, reducing the visibility of your emails.  Which, really isn’t a bad thing, but at the same time I’d like to have as much of my screen possible devoted to reading.

From there on, it just kept declining.  The more features GMail added, the slower the response times got.  Even so much they had to preload things before you even got to view your email.  Why?  It takes a whole 2-3 seconds now to view my inbox, whereas when I first signed up it took less than 1 second.

Now, here I am.  Looking at Google’s competitor Microsoft, as a saving grace.  I’ll be the first to admit I dislike the whole Metro/tiling design, and its one reason why I swear away from Windows 8, but Outlook.com looked nice.  Sure it still had the ad space and folder list like GMail does, but more of my screen was devoted to why I’m even on the website, to read email.

Composing email is one of the biggest complaints I have against GMail.  If it wasn’t for the fact that they are now forcing to you type an email into an instant message (and no more free service), I’d highly consider waiving the rest of the issues off.  But, really, if you’re trying to run a business why would you want to force yourself to squint and scroll up just so you can remember what you typed?

I’ve started using Outlook.com for my personal email as well as for my business, and feel its a better change.  This series, however, take you through my issues and enjoyment over the switch, and conclude with my final verdict.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: