Thursday, November 24, 2016

Encryption in a Trump presidency

I keep seeing articles about how now that Trump has been elected encryption apps are on the rise and people talking about how to encrypt your stuff more and more. This just makes me laugh. Now to clarify, I am not a Trump supporter or a Clinton supporter. I went third party because I'm sick of the either or option we keep getting. I also wanted to vote for a candidate that fit my thoughts the best, and that wasn't in one of the main parties. So why does this make me laugh? Let's look back on history. Even during the Obama administration the government was listening in. Snowden proved that. So what is the difference between a Democrat listening in on your conversations and a Republican?

So here's the real scenario. Your conversations are being monitored. Not just by the government, but malicious people who may or may not be aligned with anyone in particular. The bottom line is that if you're worried about people listening in on your conversations now, you should have been worried since the invention of communication devices. It is far more than a government thing.

I also want to touch on the battle of encryption. We always talk about Internet encryption, however let's look at another area where encryption has been discussed. Amateur radio, or Ham radios. Look up amateur radio encryption and you can see a complicated argument going on. To summarize what little I actually know about it (so correct me if I get details wrong), there's no real encryption of messages allowed if they obscure your communication unless publicly documented. Or basically, you can encrypt so long as anyone can decrypt it through some means. This should sound a lot like the government wanting back doors into online encryption. In the case of radios, it's the FCC who would be tapping in. In these arguments, there are lots of people against and for it. Perhaps we need to really look around us and see the contrast in opinions for encryption simply divided by medium of choice.

My opinion is that regardless of medium, people should be allowed to encrypt whatever, whenever and however they want and not be required to turn over any information of how to decrypt unless they so choose. If I pass a paper note to someone in a special code only myself and the other person know, it should be treated the same as passing along information online. Regardless of medium, it is a matter of the information traveling.  If I decide to send plain text online and have the message purely in code words that only myself and the sender understand, would that still be covered under encryption? Potentially.

Now if you wonder why I support encryption, it is not in any way because of government. It is because of people. People can be malicious. Here are situations where encryption is not only preferred, but in today's world a necessity.

Remote administration. Being a tech, I am conscious of whether I use telnet or ssh. Even using a VPN should be encrypted. In remote administration, sensitive information is constantly being moved around. I don't want someone who manages to listen in to see how I log in to the router or even configure it.

Transferring of files and storage. Suppose my doctor emails me blood test results. Well, because of HIPPA, it needs to be secure in many ways. Now the email is on my hard drive. Very sensitive information about me. If I keep it, I want it protected in any way possible. The government can know all they want about that, it's malicious people I don't want seeing it.

Business transactions. This can include credit card information or stuff that if taken can be used for insider trading (which is illegal). I want to keep people from stealing my identity or making money with an illegal advantage.

There are many more special cases that you can list off, but the point is there is a lot of sensitive information being shuffled around and whether you want the government to get in or not we should all be able to agree that we should do what we can to protect ourselves from malicious people in the world.

Now let's say the government comes knocking and they want access to your encrypted phone because they are gathering evidence and you may or may not be responsible. Well, if it's not subpoenaed then you have the right to keep anything from them, especially if it's self incriminating. This is because in America we have the whole innocent until proven guilty thing. I also would like to say a tech company should have the right to with-hold information for decrypting a phone for the reasons of if they give it away then all their phones are vulnerable in future cases and nothing stops the government from needing that permission to get in in the first place. This would be like if the government got every key maker to make a master key and give them a copy to get into your house, car and every locked room and container in your home. It's just wrong. Locked in my house are personal files and munitions. They are locked for a reason, not legality but because stay out of my stuff.

The only law I would support in encryption would be a way for the government to subpoena password information from a person. It's the same as getting a warrant to go into a house and them refusing to let you in. You can change a lock later if you're that worried but if there is that much reason to get the information legally then only that individual should be compromised, not an entire user base.

Back to the main point, does Trump being president effect the encryption fight in any way or give reason to encrypt your information? No more than any other administration. The reasons to fight for encryption remain the same. He may pick the policy makers and may pass laws but they've been listening in for a while now. So get your head out of the sand and actually do something about it and stop fear mongering about which person got elected and how that effects it in any way, because the fight will remain the same. Take a real good look at the world around you.

So here's to hoping people will actually get up and make a change. It saddens me to think it takes fear to motivate people to actually care about something but I'm all for making the world a better place. So let's keep our private lives private, let's keep our security, and let's not be afraid but instead fight for what we want.

So all those in countries where the fight is being lost or already lost... I hope you won't be a model for us. Hopefully when we win this debate, others will follow suit and it will be the norm to just allow encryption and stop asking companies to unlock stuff for them or to give them access to information they don't need to stick their noses in.

Monday, August 1, 2016

Information Dump: Vi/Vim Quickstarter Guide

During my internship, I was tasked at one point with configuring an openSUSE server with Novell. The reason I was given the task was because I was the only one familiar with Linux systems. I won't go too far into the details or reason for this, let's just say it was a non-profit organization and leave it there.

While attempting to set it up, I needed to modify the fstab because for some reason it would not play nice with the drive and I was too inexperienced with Linux at the time to work out a cleaner way to do it. The problem I ran into was there was no graphical text editor, I didn't know how to get one and there was no nano or pico. There was only vi. For just starting out and my only familiarity being Ubuntu, it was terrible. I was lost. So being handed the book that the system came with opened to the vi section, I attempted and failed miserably. In the end, I did a lot of cat and echo because I was also unfamiliar with sed.

I failed to learn anything because it just seemed too daunting. Later down the road I would try it from time to time with little success. Then one day at the job I am currently working, I decided to allow myself only to use vi until I figured it out. To my surprise, it didn't take that long and is actually rather simple to use... just different.

Now most systems use vim, even when you run vi. Vim is much easier to use, however I have found vi on some devices that I use and it was easiest just to keep with working like I'm always on vi for habit and consistency. So here's some quick controls to get you started with vi so you can use it at the very least for what it was intended, editing text files. This should give you a simple base to get going.

So the first thing that happened when opening a file tends to be that most people try typing and it seems like random stuff just happens. This is because vi has different modes. You start out in command mode. To type, we need insert mode. There are two ways to get to insert mode and they do two different things, so let's start with a blank file and you can join in the fun. Start vi!

So once it is started up, press the i key to go to insert mode (makes sense, right?). Now type in (and don't hit enter at the end):

abc123

Now press Esc. Easy enough, and the cursor should now be on 3. Now let's say we want to add a 4 to the end. So let's press i again and hit 4. Now you may notice the 4 is before the 3. What gives? Well, we did insert and insert will insert before the cursor. Well, darn, let's delete that pesky 4 that is cutting in line. Press your Esc then delete key.

Okay, so how do we insert something after the cursor? Well, we use a fancier word, append! Can you guess what we hit for that? If you guessed a, then you're right! So press that a key and hit 4.

Okay, now let's try making a second line by pressing enter and let's type...

xzy 789

Okay, so now we have two lines. There are a few different ways we can navigate this (press Esc so we're in command mode). You can use the arrow keys, which is straight forward. The other us using h, j, k, and l keys. Up is k, down is j, left is h, and right is l. Easy enough, except for the counter-intuitive l for right, but at least it's on the far right.

So now the next big question is how do we exit? There are a few different ways and we need to be in command mode. First, the scenarios and how to exit. You press enter after these commands.

If you opened up a file and it remains unchanged, you can do

:q

If you edited a file, edited it, and now need to save and quit, you can do either of these
:wq <optional filename>
:x <optional filename>

If you changed something but want to quit without saving, you can do this

:q!

Since we have no filename, the optional filename to save is well... mandatory. Now if we just want to save the file... say as test.txt, you can do this

:w test.txt

This will save it in your pwd. So far, so simple. With these memorized, it should be pretty easy to at the very least use vi or vim when you need to. So we can insert, append, delete, navigate, save and quit. Let's look at a feature I find very useful when a file is cluttered with way too much commenting that looks like more configuration. Let's delete the xyz line entirely. Arrow onto that line and double tap your d key. That removes the line entirely. If you just want to delete the text, you could tap shift+d at the beginning of the line (use home and end to get to the beginning and end of lines). Shift+d will remove all of the line from the cursor on.

What more could you ask for? Copy pasta! Copying, cutting, and pasting is part of today's culture. Not having this ability in a text editor is horribly inconvenient. Fear not, for we have that ability in the form of yanking! Sounds weird, but bear with me. Before we can get there though, we need to learn to select text. We do that with v. When you use v, you start selecting on the cursor and move the cursor around to where you want to select to. There's also a way to select whole lines with shift+v and arrow down or up or just stay right there for one line. Keep in mind that this will include the newlines at the end.

With this, we can now yank (copy) or delete (cut) text. To yank the text, you can simply press y with the text highlighted. To delete, you press d. Now to paste it, you arrow to the point you wish to insert the text and press p.

Now you may remember to delete a line, I mentioned you can use shift+d, well this is the equivalent of cutting that single line. So after you do that, you can press p to paste it. The same works for double tapping d. Copying a whole line for pasting is also as simple as double tapping y.

With that, you can now easily begin some basic file editing. Hopefully this will help a poor wayward soul who shivers at the mere mention of vi. It really isn't that scary, it's just so different than what people are used to nowadays. There are plenty of more advanced features, like regex searching and replacing that are some powerful features worth looking into as you get more comfortable with it. There are also even more numerous features than just these, but I try to stick to what I need rather than finding a feature that I need to make a need for using it.

Tuesday, July 19, 2016

Information Dump: Uses for Old Computers

It seems like we have reached a point where people are no longer trying to save up and purchase the next up-to-date computer model or N core CPU and N RAM that leaves you using only 10% of except for when you decide you need 50 tabs open in chrome when you're only using 4 because bookmarks, back buttons and remembering where you've been seems like too much of a hassle. Now it's all outdated computers barely scrapping by and people cursing out their computer because even though it's old and slow, it should be able to run that flash game you like to play on the site filled with ads and using 7 different Javascript frameworks because jQuery wasn't easy enough for developers when you can copy-paste a widget with a different framework and paste it all in. If you can't tell by now, I'm sick of people asking me if they need a new computer and complaining about how bad their current one is even though half of the problem is them and the other half is a lack of understanding.

Even at my current job as an IT Specialist I hear the people I work with talk about using Linux to "prolong" the life of our old computers then talk about all the modern day software it needs to run. We're running Ubuntu 12.04 LTS on machines that sound like jet engines taking off just to start up. It's a nightmare. Even our "new" computers don't really cut it for some of the stuff the people I work with do. When you're running a virtual machines, you really need to step your game up.

That being said, there are plenty of uses for old computers. The main thing to use them for is very low resource things with light weight modern operating systems, for security reasons. Keeping an outdated OS or nearing out of date OS because it "works" is not recommended. All that ranting aside, let's dive into it.

As far as picking an operating system, options may be limited. The best I can advise you is that if you just meet "minimum requirements," don't get too excited. That means the system will run... until you start adding updates and robust programs you want to run. While you may assume I will list off just Linux distributions, you will find that you are sadly mistaken. So let's start with a fun one.

FreeDOS

Remember the good old DOS days? Remember all those cool retro games you used to play (or hear people talk about)? Of course you could run DOSBox, but you could also install and run an actual DOS system. This works pretty well out of the box and even includes graphical programs like GEM (the desktop) and Arachne (web browser). You can also download a ton of DOS games for free from quite a few different websites I'm not going to name off because you can Google what you want.

MenuetOS or KolibriOS

 Originally, a friend showed me KolibriOS, and I got a good laugh at this. It is capable of fitting on a single diskette. Aside from being absolutely tiny, it includes a basic web browser and FASM assembler. If you're really big into assembly programming and want a very minimal OS to do your work on virtually and junker you have laying around, this is a possibility for you. I can't really say much beyond that as I'm not that into this scene. So if you're interested, check out their websites for the full detail.

ReactOS

Currently in Alpha when writing this, and I have not tried it out yet. However, it claims to be an open source free to use Windows NT environment. The requirements seem low enough that you should be able to run it easy on really anything you could turn on. I hope this gains some real traction and I'll add some more after I have time to try it out.

Okay, so that is all I have beyond the realm of Linux, besides BSD. Of course there are other operating systems out there that I could in fact add to this, and I may over time. However, I'd like to focus now on application possibilities and leave the OS choice to you. To finish off I will list any extra lightweight distros I know off the top of my head that we can use for just a generic desktop that will meet the requirements of browse the web, store and access files, and some type of basic word processor or office suite.

There are a decent amount of network services that sit idle for quite some time and draw very little in the way of resources. Assuming your old machine also has a slower network card we can still use it for something. Some are so lightweight that we can add multiple services onto a single machine and even if it is old, it can still get the job done.

DHCP

This is simple a server that assigns computers an IP address. While it is true that most routers will do this for you, making your own server can give you far more control. This can also be used in conjunction with a TFTP server to allow network booting. Network booting can be used for some simple cloning solutions like Clonezilla or Fog.

DNS

This is another service most routers take over. However, if we use this with a DHCP server, we could develop a very capable SOHO network. This can also be used to simplify finding any devices you may have on the network rather than trying to remember an IP address.

T/S/FTP

TFTP can be used with DHCP for network booting or simple automated backup tasks. SFTP is the secure version of FTP and I'd recommend it over your standard FTP. This can be used for backups or a simple network storage. Who can turn down some extra file storage?

Domain Controller

In enterprise environments, there is often a domain controller and everything is part of a domain. You can do this as well, and it won't require much for resources. It will take a lot of time and patience. This will often use SAMBA, Kerberos and DNS working together. There are a lot of tutorials to set this up. This will make things a bit easier than statically entering in every DNS entry which can make life even easier if you constantly need access to network devices but IPs are hard to remember and setting up a static IP every time is inconvenient. It is recommended you use Kerberos for authentication and all that.

Cloning Solution

 I mentioned Clonezilla and Fog earlier. Clonezilla on a network boot creates and extremely flexible cloning option. It will allow you to send the clone any way you want and choose your cloning method very easily. Fog is a lot more robust, however I have run into minor issues with it and older computers at work. Fog allows you to register your hosts for easy tracking. You can clone in bulk with grouping. Easy installations and remote script running with snap-ins. Easy management through a web interface. Anti-virus scanning, wake on LAN, and much more. It is very robust and it's free. It is probably also one of the easiest things to setup on this list.

HTTP

If a web server isn't under a bunch of traffic, most of the time is just sits there twiddling its fan. An HTTP server doesn't even need to be open to outside traffic. You could simply use it for listing network services or practicing your web design skills. There are also administrative tools you could use for your other services you may install that use a web interface. You're only limited by your imagination.

RADIUS Server

RADIUS servers are used for authentication. This can be used to up your network security a little bit more. It's also needed for the WPA enterprise stuff. FreeRADIUS is an example of a free RADIUS server you can try.

Now I could list off service after service, however I like these because they offer a practical use and more of an immediate payout. The biggest resource they use up will be your time in setting up and fine tuning everything. Alternatively, you could make your own services and an old machine as a testing ground. Another possibility is to install an old or vulnerable OS to it like DVL and try to hack it or break it or secure it. Offers some good practice with a lot risk and no need for cranking up a virtual machine on your soon-to-be outdated Pooper-scooper 9000 with chrome accents, clear cover, and light-up fans. I didn't name off a real computer because I wanted to make a HAL 9000 joke and a poo joke, so two birds with one stone?

So now for the list dump of lightweight Linux distros. But before I do this, ask yourself what makes them lightweight. Most of what I see is "Less bloat! Optimizations! Benchmarks!" Unless you're Gentoo, then it's all you trying to optimize it. I hope you're more capable than I am, I needed to install it with the option that includes all the bloat just to get the network to work. Just some food for thought.

Now while I was going to put a list, I noticed DistroWatch has an Old Computer tag. So rather than copying someone's work or citing original credit, I will just link to it. I'd also recommend checking out DistroWatch as they are very useful in finding new distros and keeping up to date with very little effort.

THE LIST

I noticed that some of the ones I mentioned above are on their list despite being neither Linux or BSD. I can tell you I did not find them from that list, they were show to me or found in other research. For that reason I'm leaving them up, despite my dislike of duplicate information.

Saturday, June 18, 2016

Hacking 101: Reset Windows Passwords

A while back, I was repairing a computer for someone and required their password. The problem is, I forgot to get it and happened to have... lost the person's number. As you can tell, I'm a professional. Now I needed a way to reset the password. I read online you can do it with the actual CD/DVD for the Windows OS. The problem is, I didn't have for that version of Windows, so another option was needed.

Here is something good to know, the Ubuntu live CD has NTFS support already. So with that, we're set. So here's the outline:

We need an Administrative command prompt.
Windows has programs you can trigger with event even at a login.
We need to use that triggered event to launch a command prompt.
The command prompt can be used for whatever... like changing passwords.

So load up an Ubuntu live CD. Once in, open up your file browser and navigate to your Windows partition. In the System32 folder, we're looking for a file named sethc.exe. Make a copy of it and then replace it with a copy of cmd.exe. Now all we need to do is boot back into Windows. The file we replaced with the command prompt is sticky keys. So once at the login, tap shift five times. For some reason, sticky keys never seems to work properly, so I just rapidly tap it until a few prompts decide to finally pop up.

Now let's say, for example, the computer doesn't even have an Administrative account active. Well, now we can activate it, even password protect it if you want. So to activate it, the command is

net user Administrator /active:yes

Now to password protect it or change a user password, use this command (replace Adminstrator with the username you want to change).

net user Administrator <new password>

Simple and easy. I know it's all well known, however i wanted to write on it in a way as a reminder to myself if I forget.

Friday, March 4, 2016

Malware: 1-855-298-4477

So while at work, I get an email. Someone has a popup saying stuff along the lines of malware detected, your computer is locked, don't reboot or you could damage your system. Then it says repeatedly to call "tech support" at 1-855-298-4477. After looking at the screen shot, it was easy to tell the problems. First, it was in a web browser. Second, the spacing was all messed up.Like this. Most importantly, it just says "call tech support" and not specifically who this tech support is supposed to be. So, obviously just close the window and move on.

Now being the jerk that I am, I decide while I have a moment to call the number. The number seems to re-route you to different recipients, all who answer along the lines of "this is tech support, how may I help you?" So when I get that, I hang up and cross my fingers I get a call back. I do. The number was marked as being in Texas, but I highly doubt that was its origin. The number was 1-713-589-4442. So the guy calls and says that he missed my call and asks how he can help. There was a thick accent, so I had to get him to repeat it 3 times before he slowed down so I could hear what he was trying to say.

I blatantly ask him "is this a tech support scam?" I imagine he was either terrible at English or just didn't understand me because he said yes and asked how he could help. So I tell him that he's not listening, and I asked if it was a scam. He tells me he's tech support and can remotely connect to remove the malware. I let him know that first off, a web browser isn't going to detect malware on your computer like that and that I am the tech support. After a bit of back and forth and me insisting that it is indeed a scam, he replied that if companies like Microsoft charge for fixing computers and it's not a scam then they were not a scam.

Eventually... he hung up on me. I imagine it was something to do with me laughing at him and calling it a stupid scam.

Now the reason I post this is for a simple reason. I believe that if you can recognize scams like these, you should pick up the phone and bug the scammers and liars. Try this number if you want, call them up and if "tech support" answers, have some fun. Make a bogus report and give them fake credit card info or just simply call them out. I think scams like this are done just simply because it is so easy as most people who can tell it is a scam just ignore it and those that can't lose.

That's just my thoughts, anyway. It really bothers me when others take advantage of people like that.

***Edit: Just wanted to add this because I decided to call it again just because. So, this guy I ask for the name of the company he works for. After some poking and prodding, I get him spewing out some really bad fake information about his company and its support. Eventually, after pointing out he didn't know jack, he hung up and then all I got was a disconnected message. How rude.

Sunday, January 24, 2016

Information Dump: Comptia Security+

So a few days ago, I passed the test to get my Security+. Now, I'm going to give you an idea of what the test was like. The reason I want to is because my cousin, who had already gotten the certification, said the test was easy. I was using the CertMaster material, and that stuff was hard as far as lots of little things to remember.

Well, here's the broad overview. Like the A+ tests, it includes simulations and multiple choice. The simulations were not exactly simulations so much as a visual word problem. The simulations were a bit confusing as far as the directions go, but once I understood what the goal was, it was easy.

The biggest problem I ran into was how the questions were worded. I had flagged a few for review and when I went through them again, I realized I had picked the wrong answer because I didn't understand the question correctly. So, I went through the whole test roughly three times before I ran out of time. When the questions were understood, the test itself was relatively easy, even for someone like myself with horrible test taking skills.

As far as must know material for the test, it jumped around a lot. I was assuming it would probably focus on some core concepts such as CIA or risk and controls, but that only seemed to be present in maybe two questions.

Either way, the test was easy to answer, just read the questions very carefully. Now here's my study guide/cheat sheet I made while studying for the test.

Comptia Security+ Reference

Tag Cloud

.NET (1) A+ (1) addon (6) Android (3) anonymous functions (5) application (9) arduino (1) artificial intelligence (2) bash (3) c (7) camera (1) certifications (1) cobol (1) comptia (2) computing (2) css (2) customize (15) encryption (2) error (15) exploit (13) ftp (2) gadget (2) games (2) Gtk (1) GUI (5) hardware (6) haskell (15) help (5) HTML (4) irc (1) java (5) javascript (20) Linux (18) Mac (4) malware (1) math (8) network (5) objects (2) OCaml (1) perl (4) php (8) plugin (6) programming (42) python (24) radio (1) regex (3) security (21) sound (1) speakers (1) ssh (1) telnet (1) tools (11) troubleshooting (1) Ubuntu (3) Unix (4) virtualization (1) web design (14) Windows (6) wx (2)