Archive

Category Archives for "Thomas Habets blog"

ReFS integrity is not on by default

I really don’t like the trend of filesystem authors to only care about filesystem integrity by default. How about having seat belt for your data integrity by default and let people turn it off if they want to compromise correctness for performance?

What I didn’t know is that ReFS integrity is not on by default. Only metadata integrity.

It’s also not visible or changeable in the UI (which is why I assumed they’d done the right thing), which is strange to me, this being Windows. No, you have to drop down into Microsoft’s crappy CLI.

How to check if it’s turned on.

Check files in one directory

PS E:\> Get-Item '*' | Get-FileIntegrity

FileName                       Enabled Enforced
--------                       ------- --------
E:\SomeDirectory               False   True
E:\SomeOtherDirectory          False   True
E:\SomeFile.txt                False   True
[...]

Fuck you, Microsoft.

Check recursively

Of course Get-Item doesn’t do recursion. Why would it? That would make sense.

PS E:\> Get-Children -Recurse 'E:\SomeDirectory' | Get-FileIntegrity

FileName                       Enabled Enforced
--------                       ------- --------
E:\SomeDirectory\foo.txt       False   True
[...]

How to enable it

Both commands are needed. The first command sets the new default for the root directory, and the second adds checksums to all existing files and directories.

Microwave

Two interesting things I saw when listening to the output from my microwave:

  1. The frequency is not stable. I assume it’s not thermally controlled.
  2. Probably not a good idea to use WiFi channel 6, being 2.437GHz+-11MHz and all.

Near the microwave

Near the microwave

Some rooms away from the microwave

Separate measurement some rooms away.

Further from microwave

How to generate the graphs

# Edit usrp_spectrum_sense.py so that it prints time.time() instead of datetime.now()
./usrp_spectrum_sense.py --dwell-delay=0.1 -A RX2 -s 8000000 --real-time 2.4e9 2.5e9 > near-microwave.txt
# Edit near-microwave to remove the stupid verbose messages from the top.
cat > microwave.plot << EOF
set view map
set size ratio .9

set object 1 rect from graph 0, graph 0 to graph 1, graph 1 back
set object 1 rect fc rgb "black" fillstyle solid 1.0

set xlabel 'Time in seconds'
set ylabel 'Frequency'
set zlabel 'dB'
set terminal epslatex color
set output "near-microwave.eps"
splot 'near-microwave.txt' using ($1-1496693552.11):((($5/1000-2400000)/1000)):4 with points pointtype 5 pointsize 3 palette linewidth 30 title 'Signal'
EOF
gnuplot microwave.plot
convert near-microwave.{eps,png}

I can’t have GNUPlot output PNG directly because it hangs.

The magic value 1496693552.11 is the first timestamp in the file.

Decoding FSK

Something I’ve been playing with lately is software defined radio with GNURadio. I’m not good at it yet, but I’ve managed to decode the signals from a couple of things.

This is my step-by-step for how I decoded data from a boiler thermostat. I’m not saying it’s the best way, or even a good way. But it’s what got me there.

0. Find the frequency

Often this is written on the device itself. Other times it’s in the manual. If not, then more research is needed, such as by trying to find the manufacturer on fcc.gov or similar.

In this case it was easy. The manual said “868 MHz”, which is in the SRD860 band.

1. Capture some data

When I poked at the controls of the thermostat, saying “please make the room 25 degrees”, the thermostat must send this data to the boiler. I could hear the boiler start up and shut down, so there must be something sent between me pressing the buttons and I heard the results.

I started by centering around 868.5 Mhz with 1Msps. The minimum for the RTL-SDR is 900ksps, so even if you wanted to see less than 1MHz you need Continue reading

Killing idle TCP connections

Why

Let’s say you have some TCP connections to your local system that you want to kill. You could kill the process that handles the connection, but that may also kill other connections, so that’s not great. You could also put in a firewall rule that will cause the connection to be reset. But that won’t work on a connection that’s idle (also if one side is initiator then using this method the other side would not tear down its side of the connection). There’s tcpkill, but it needs to sniff the network to find the TCP sequence numbers, and again that won’t work for an idle connection.

Ideally for these long-running connections TCP keepalive would be enabled. But sometimes it’s not. (e.g. it’s not on by default for gRPC TCP connections, and they certainly can be long-running and idle).

You could also do this by attaching a debugger and calling shutdown(2) on the sockets, but having the daemon calling unexpected syscalls thus getting into an unexpected state doesn’t really make for a stable system. Also attaching a debugger hangs the daemon while you’re attached to it.

This post documents how to do this on a Debian system.

Continue reading

Windows SSH client with TPM

I managed to get an SSH client working using an SSH pubkey protected by a TPM.

This is another post in my series in playing with TPM chips:

Optional: Take ownership of the TPM chip

This is not needed, since TPM operations only need well known SRK PIN, not owner PIN, to do useful stuff. I only document it here in case you want to do it. Microsoft recommends against it.

  1. Set OSManagedAuthLevel to 4

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\OSManagedAuthLevel 2 -> 4

    Reboot.

  2. Clear TPM

    Run tpm.msc and choose “Clear TPM”. The machine will reboot and ask you to press F12 or something for physical proof of presence to clear it.

  3. Set owner password from within tpm.msc

Set up TPM for SSH

  1. Create key

    C:\> tpmvscmgr.exe create /name “myhostnamehere VSC” /pin prompt /adminkey random /generate
    PIN must be at least 8 characters.

  2. Create CSR

    Create a new text file req.inf:

    [NewRequest]
    Subject = “CN=myhostnamehere”
    Keylength = 2048
    Exportable = FALSE
    UserProtected = TRUE
    MachineKeySet = FALSE
    ProviderName = “Microsoft Base Smart Card Crypto Provider”
    ProviderType = 1
    RequestType = PKCS10
    KeyUsage = 0x80
    
    C:\> certreq -new -f req.inf  Continue reading

Windows SSH client with TPM

I managed to get an SSH client working using an SSH pubkey protected by a TPM.

Optional: Take ownership of the TPM chip

This is not needed, since TPM operations only need well known SRK PIN, not owner PIN, to do useful stuff. I only document it here in case you want to do it. Microsoft recommends against it.

  1. Set OSManagedAuthLevel to 4 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\OSManagedAuthLevel 2 -> 4

    Reboot.

  2. Clear TPM

    Run tpm.msc and choose “Clear TPM”. The machine will reboot and ask you to press F12 or something for physical proof of presence to clear it.

  3. Set owner password from within tpm.msc

Set up TPM for SSH

  1. Create key

    tpmvscmgr.exe create /name "myhostnamehere VSC" /pin prompt /adminkey random /generate
    

    PIN must be at least 8 characters.

  2. Create CSR

    Create a new text file req.inf:

    [NewRequest]
    Subject = "CN=myhostnamehere"
    Keylength = 2048
    Exportable = FALSE
    UserProtected = TRUE
    MachineKeySet = FALSE
    ProviderName = "Microsoft Base Smart Card Crypto Provider"
    ProviderType = 1
    RequestType = PKCS10
    KeyUsage = 0x80
    
    certreq -new -f req.inf myhostname.csr
    

    If you get any errors, just reboot and try again with the command that failed.

  3. Get the CSR signed by any Continue reading

HSBC is not a real bank

From a customer’s perspective it’s hard to tell if HSBC UK is some sort of performance art as opposed to a real bank.

I will add more things to this blog post as they occur to me, since this is the first time I’m writing these down in one place some of the many many absurdities are bound to slip my mind.

How are they absurd? Let me count the ways.

You can only view about one month of transaction history in your account, and you see it in the logical reverse chronological order.

For anything older, you have to check your “statements”, which have overlapping data and are in chronological order. They have the data. They just refuse to show it to me in a useful form.

So if you want to inventory one month of expenses you now have to synchronize your recent transactions (reverse chronological) with one or two overlapping chronological ones. Oh, and multiply this by two to look at debit and credit card expenses.

If you thought the main banking website was bad (and it’s terrible. If you don’t think it’s absolutely awful then you’ve never seen e.g. SEB to compare), then you should Continue reading

HSBC is not a real bank

From a customer’s perspective it’s hard to tell if HSBC UK is some sort of performance art as opposed to a real bank.

I will add more things to this blog post as they occur to me, since this is the first time I’m writing these down in one place some of the many many absurdities are bound to slip my mind.

How are they absurd? Let me count the ways.

You can only view about one month of transaction history in your account, and you see it in the logical reverse chronological order.

For anything older, you have to check your “statements”, which have overlapping data and are in chronological order. They have the data. They just refuse to show it to me in a useful form.

So if you want to inventory one month of expenses you now have to synchronize your recent transactions (reverse chronological) with one or two overlapping chronological ones. Oh, and multiply this by two to look at debit and credit card expenses.

If you thought the main banking website was bad (and it’s terrible. If you don’t think it’s absolutely awful then you’ve never seen e.g. SEB to compare), then you should Continue reading

Ubiquity gear replacing BT HomeHub router

These are my notes from setting up Ubiquity wifi access point and router to replace the horrible BT HomeHub 5.

What’s wrong with BT HomeHub?

  • It can’t hand out non-BT DNS servers (and BT’s DNS servers MITM your queries and spoof NXDOMAIN if the reply has rfc1918 addresses in them. This is known and they “can’t” turn this off)
    • This means that I had to turn off the DHCP server and run my own on a raspberry pi. So I’m actually replacing two devices. It was already not a all-in-one-box solution.
  • The port forwarding database is not using unique key constraints, so you have to try and re-try adding port forwardings until you’re lucky and don’t hit a key collision.
  • Only one wifi network. I want untrusted things (IoT) to be firewalled from the rest.
  • I want to deny Internet access to some IoT things. I don’t need them to be able to connect anywhere. HomeHub doesn’t support that.
  • Wifi range is not great. Not terrible, but bad enough that it doesn’t cover my home.
  • I don’t know if it’s to blame, but I did not have a good experience trying to set up a second AP to automatically roam Continue reading

Ubiquity gear replacing BT HomeHub router

These are my notes from setting up Ubiquity wifi access point and router to replace the horrible BT HomeHub 5.

What’s wrong with BT HomeHub?

  • It can’t hand out non-BT DNS servers (and BT’s DNS servers MITM your queries and spoof NXDOMAIN if the reply has rfc1918 addresses in them. This is known and they “can’t” turn this off)
    • This means that I had to turn off the DHCP server and run my own on a raspberry pi. So I’m actually replacing two devices. It was already not a all-in-one-box solution.
  • The port forwarding database is not using unique key constraints, so you have to try and re-try adding port forwardings until you’re lucky and don’t hit a key collision.
  • Only one wifi network. I want untrusted things (IoT) to be firewalled from the rest.
  • I want to deny Internet access to some IoT things. I don’t need them to be able to connect anywhere. HomeHub doesn’t support that.
  • Wifi range is not great. Not terrible, but bad enough that it doesn’t cover my home.
  • I don’t know if it’s to blame, but I did not have a good experience trying to set up a second AP to automatically roam Continue reading

Yubikey 4 for SSH with physical presence proof

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.

Install yubico-c, ykpersonalization, and yubico-piv-tool

sudo apt-get install help2man gengetopt libtool  Continue reading

Yubikey 4 for SSH with physical presence proof

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.

Install yubico-c, ykpersonalization, and yubico-piv-tool

sudo apt-get install help2man gengetopt libtool  Continue reading

How I made my custom keyboard layout on Linux and Windows

This post explains how to set up a keyboard layout the way I like it. It may not fit you at all, but it may give you ideas that would work for you.

In short: I remap Caps Lock to add some extra keys.

First a description of what my preferred keyboard layout is: I type Dvorak, but also want to occasionally use Swedish letters. There are a couple of Dvorak versions for Swedish, but since most of my typing is in English or programming I think they compromise too much on the accessibility of other keys to add these three Swedish characters.

Picture of my keyboard

So for decade or so I’ve been remapping Caps Lock to AltGr and holding down AltGr to add new keys. Typing “ö” quickly became fluent and easy, since it involves holding down one key with my left hand and pressing a key with another.

I used this method even before I switched to Dvorak, because if you’ve ever coded on a Swedish keyboard you should know how terrible it is. I know several Swedish programmers who use US keyboard layout all the time because of this, and simply live without being able to type proper Swedish.

Continue reading

How I made my custom keyboard layout on Linux and Windows

This post explains how to set up a keyboard layout the way I like it. It may not fit you at all, but it may give you ideas that would work for you.

In short: I remap Caps Lock to add some extra keys.

First a description of what my preferred keyboard layout is: I type Dvorak, but also want to occasionally use Swedish letters. There are a couple of Dvorak versions for Swedish, but since most of my typing is in English or programming I think they compromise too much on the accessibility of other keys to add these three Swedish characters.

Picture of my keyboard

So for decade or so I’ve been remapping Caps Lock to AltGr and holding down AltGr to add new keys. Typing “ö” quickly became fluent and easy, since it involves holding down one key with my left hand and pressing a key with another.

I used this method even before I switched to Dvorak, because if you’ve ever coded on a Swedish keyboard you should know how terrible it is. I know several Swedish programmers who use US keyboard layout all the time because of this, and simply live without being able to type proper Swedish.

Continue reading

Building pov-ray on raspberry pi

This is just notes in case I need to do this again. It’s for my QPov project.

sudo apt-get install autoconf libboost-all-dev libjpeg-dev libtiff-dev libpng-dev
git clone https://github.com/POV-Ray/povray.git
cd povray
git checkout --track -b 3.7-stable origin/3.7-stable
cd unix
./prebuild.sh
cd ..
./configure --prefix=$HOME/opt/povray COMPILED_BY="My_Name on RPi"
make
make install

Building pov-ray on raspberry pi

This is just notes in case I need to do this again. It’s for my QPov project.

sudo apt-get install autoconf libboost-all-dev libjpeg-dev libtiff-dev libpng-dev
git clone https://github.com/POV-Ray/povray.git
cd povray
git checkout --track -b 3.7-stable origin/3.7-stable
cd unix
./prebuild.sh
cd ..
./configure --prefix=$HOME/opt/povray COMPILED_BY="My_Name on RPi"
make
make install

Scraping data from a BT home hub 5

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Current byte counters on the Internet interface (down/up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml 
    | sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/1 2/g;p};d'

Current synced up speeds in bps (down / up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml 
    | sed -r '/status_rate/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/2 1/g;p};d'

Misc note

First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.

curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js | sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/1 2/g;p};d'

But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.

In conclusion

Yet another reason these routers are completely retarded. Other examples:

Scraping data from a BT home hub 5

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Current byte counters on the Internet interface (down/up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml \
    | sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'

Current synced up speeds in bps (down / up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml \
    | sed -r '/status_rate/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/\2 \1/g;p};d'

Misc note

First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.

curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js \
    | sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'

But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.

In conclusion

Yet another reason these routers are completely retarded. Other examples:

How to boot an encrypted system safely

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

The threat model

You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.

Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.

The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.

You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.

This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.

Overview of the solution

First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)

Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading

How to boot an encrypted system safely

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

The threat model

You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.

Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.

The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.

You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.

This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.

Overview of the solution

First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)

Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading