I assume you already know about TOR, The Onion Router for anonymity to protect your privacy.
TOR is a network so it can only work if there are nodes (relays). If you have a server, you can run one so consider it. Afraid of legal issues? You do not need to run an exit node, a relay is just fine: everything is encrypted.
This post will show you how easy it is to set up a TOR relay on Debian, how to nicely monitor it and how to use it as a transparent router.
Friday, January 18, 2013
Monday, May 14, 2012
USB rescue and secure boot disk
I think it's always good to carry a rescue operating system, like Ultimate Boot CD for Linux or UBCD for Windows. Personally I like Grml, debian-based, 32/64 bits and it can be installed on USB.
Booting from CD/USB is as simple as embedding syslinux, a kernel, an initrd and give it a filesystem. The filesystem can be stored on the CD/USB (usually as a squashfs file), but you can also point to a local filesystem. This way, you can have a fully encrypted local disk and boot (kernel+initrd) from CD/USB. And good news, this is not specific to Linux! If you use TrueCrypt on Windows, you can chain syslinux to grub4dos and boot from your TrueCrypt Rescue Disk ISO file.
Since TrueCrypt does not use the TPM (unlike BitLocker) and Linux solutions (e.g. TrustedGrub) are not yet ready, this simple workaround allows you to protect against tampering of the non-encrypted disk portions (mbr, /boot), because this part of the boot chain is on the USB key.
This post will describe how to set up a USB disk with grml32/64, grub4dos for TrueCrypt Rescue Disks, a Linux /boot and how to add other live CDs.
Booting from CD/USB is as simple as embedding syslinux, a kernel, an initrd and give it a filesystem. The filesystem can be stored on the CD/USB (usually as a squashfs file), but you can also point to a local filesystem. This way, you can have a fully encrypted local disk and boot (kernel+initrd) from CD/USB. And good news, this is not specific to Linux! If you use TrueCrypt on Windows, you can chain syslinux to grub4dos and boot from your TrueCrypt Rescue Disk ISO file.
Since TrueCrypt does not use the TPM (unlike BitLocker) and Linux solutions (e.g. TrustedGrub) are not yet ready, this simple workaround allows you to protect against tampering of the non-encrypted disk portions (mbr, /boot), because this part of the boot chain is on the USB key.
This post will describe how to set up a USB disk with grml32/64, grub4dos for TrueCrypt Rescue Disks, a Linux /boot and how to add other live CDs.
Monday, April 09, 2012
YubiText and 3-factor password authentication
As I said in the last post, I obtained YubiKey USB tokens and started to play with it. One of the programs I made is YubiText, it allows to input text when a YubiKey is plugged. For instance, one can use it as a way to type a password. This post will describe how it works and how I use it to have something I call 3-factor password authentication.
Thursday, April 05, 2012
YubiKey USB security token
Monday, April 02, 2012
PPTP VPN and policy routing on user
The first part of this post describes how to use PPTP VPN on Linux, in command-line and not GUI. The second part, actually independent of VPN, describes how to set up policy routing for a user, in order to have all traffic from that user to go through a specific interface (e.g. the VPN interface).
Tuesday, March 13, 2012
Going DNSSEC, Unbound and PowerDNS
stalkr.net is now signed with DNSSEC! In this post I will quickly describe what is DNSSEC and why I chose to deploy it, then my choice of Unbound as a resolver and PowerDNS as a server and finally give a few resources about this topic.
Tuesday, February 28, 2012
SSH/HTTP(S) multiplexing with sshttp
Sebastian Krahmer (@steaIth, c-skills) made and released a nice SSH/HTTP(S) multiplexer: sshttp. Such a program is needed when you want to share your HTTP (or HTTPS) port with SSH to be able to use SSH when behind a network that only allows outbound connections to HTTP (or HTTPS) and does not bother to do protocol inspection. Learn more by reading the readme.
I was previously using sslh but sshttp has a killer feature: it uses Linux IP_TRANSPARENT feature with netfilter trickery (marking + specific routing table) to pass the original IP to destination (sshd or httpd) which means your logs still show original IP (and not 127.0.0.1). Since it's a great program, not necessarily easy to set up (not yet? packaged), in this post I'm sharing my setup.
I was previously using sslh but sshttp has a killer feature: it uses Linux IP_TRANSPARENT feature with netfilter trickery (marking + specific routing table) to pass the original IP to destination (sshd or httpd) which means your logs still show original IP (and not 127.0.0.1). Since it's a great program, not necessarily easy to set up (not yet? packaged), in this post I'm sharing my setup.
Sunday, January 08, 2012
Ghost in the Shellcode 2012 Teaser - Hackquest
Again this year was ShmooCon's Ghost in the Shellcode warm-up round or Teaser (@ShellGhostCode). Congrats to Eindbazen for winning!
There was three challenges: crypto (Tel Aviv), crackme (AL's revenge) and exploitation (Hackquest). You will notice strong references to Hackers (1995) movie. Write-ups can be found on FixMe wiki, Leet More blog or Eindbazen blog.
There was three challenges: crypto (Tel Aviv), crackme (AL's revenge) and exploitation (Hackquest). You will notice strong references to Hackers (1995) movie. Write-ups can be found on FixMe wiki, Leet More blog or Eindbazen blog.
Wednesday, August 31, 2011
HSTS preloading, public key pinning and Chrome
I recently discovered Chrome's net-internals. Among other interesting things, there is a tab about HTTP Strict Transport Security (HSTS). Also, introduced with version 12/13, Chrome now has HSTS preloading and public key pinning. These two features helps improve online security:
- HSTS preloading: browser already knows if a site has to be contacted via HTTPS only. For instance, it ensures users go to https://site even if they type http://site. This protects against MITM attacks when reaching http://site for the first time (see how sslstrip strips the "s" of https).
- public key pinning: certificate chain must include a whitelisted public key. For instance, it ensures only whitelisted Certificate Authorities (CA) can sign certificates for *.example.com, and not any CA in your browser store.
Friday, July 08, 2011
Twitter Archiver
Twitter is great to get and share information, quickly. But it is all web 2.0 and you cannot use a simple cat or grep to view or search your tweets. I would like to have tweets saved in simple text format: date, user, text. Also, I would like a simple program to give me the list of followers/following of a user.
Fortunately, Twitter provides a web API and people started to implement it in different languages, like Mike Verdone (@sixohsix) and his great Python Twitter Tools.
So here comes twitter-archiver and twitter-follow, python programs added to Python Twitter Tools to archive any public timeline of tweets in simple text format and to view the list of following/followers of a user.
Fortunately, Twitter provides a web API and people started to implement it in different languages, like Mike Verdone (@sixohsix) and his great Python Twitter Tools.
So here comes twitter-archiver and twitter-follow, python programs added to Python Twitter Tools to archive any public timeline of tweets in simple text format and to view the list of following/followers of a user.
Subscribe to:
Posts (Atom)
