Archive

Category Archives for "Thomas Habets blog"

Windows SSH client with TPM

I managed to get an SSH client working using an SSH pubkey protected by a TPM.

Optional: Take ownership of the TPM chip

This is not needed, since TPM operations only need well known SRK PIN, not owner PIN, to do useful stuff. I only document it here in case you want to do it. Microsoft recommends against it.

  1. Set OSManagedAuthLevel to 4 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\OSManagedAuthLevel 2 -> 4

    Reboot.

  2. Clear TPM

    Run tpm.msc and choose “Clear TPM”. The machine will reboot and ask you to press F12 or something for physical proof of presence to clear it.

  3. Set owner password from within tpm.msc

Set up TPM for SSH

  1. Create key

    tpmvscmgr.exe create /name "myhostnamehere VSC" /pin prompt /adminkey random /generate

    PIN must be at least 8 characters.

  2. Create CSR

    Create a new text file req.inf:

    [NewRequest]
Subject = "CN=myhostnamehere"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80

    certreq -new -f req.inf myhostname.csr

    If you get any errors, just reboot and try again with the command that failed.

  3. Get the CSR signed by any Continue reading

HSBC is not a real bank

From a customer’s perspective it’s hard to tell if HSBC UK is some sort of performance art as opposed to a real bank.

I will add more things to this blog post as they occur to me, since this is the first time I’m writing these down in one place some of the many many absurdities are bound to slip my mind.

How are they absurd? Let me count the ways.

You can only view about one month of transaction history in your account, and you see it in the logical reverse chronological order.

For anything older, you have to check your “statements”, which have overlapping data and are in chronological order. They have the data. They just refuse to show it to me in a useful form.

So if you want to inventory one month of expenses you now have to synchronize your recent transactions (reverse chronological) with one or two overlapping chronological ones. Oh, and multiply this by two to look at debit and credit card expenses.

If you thought the main banking website was bad (and it’s terrible. If you don’t think it’s absolutely awful then you’ve never seen e.g. SEB to compare), then you should Continue reading

HSBC is not a real bank

From a customer’s perspective it’s hard to tell if HSBC UK is some sort of performance art as opposed to a real bank.

I will add more things to this blog post as they occur to me, since this is the first time I’m writing these down in one place some of the many many absurdities are bound to slip my mind.

How are they absurd? Let me count the ways.

You can only view about one month of transaction history in your account, and you see it in the logical reverse chronological order.

For anything older, you have to check your “statements”, which have overlapping data and are in chronological order. They have the data. They just refuse to show it to me in a useful form.

So if you want to inventory one month of expenses you now have to synchronize your recent transactions (reverse chronological) with one or two overlapping chronological ones. Oh, and multiply this by two to look at debit and credit card expenses.

If you thought the main banking website was bad (and it’s terrible. If you don’t think it’s absolutely awful then you’ve never seen e.g. SEB to compare), then you should Continue reading

Ubiquity gear replacing BT HomeHub router

These are my notes from setting up Ubiquity wifi access point and router to replace the horrible BT HomeHub 5.

What’s wrong with BT HomeHub?

  • It can’t hand out non-BT DNS servers (and BT’s DNS servers MITM your queries and spoof NXDOMAIN if the reply has rfc1918 addresses in them. This is known and they “can’t” turn this off)
    • This means that I had to turn off the DHCP server and run my own on a raspberry pi. So I’m actually replacing two devices. It was already not a all-in-one-box solution.
  • The port forwarding database is not using unique key constraints, so you have to try and re-try adding port forwardings until you’re lucky and don’t hit a key collision.
  • Only one wifi network. I want untrusted things (IoT) to be firewalled from the rest.
  • I want to deny Internet access to some IoT things. I don’t need them to be able to connect anywhere. HomeHub doesn’t support that.
  • Wifi range is not great. Not terrible, but bad enough that it doesn’t cover my home.
  • I don’t know if it’s to blame, but I did not have a good experience trying to set up a second AP to automatically roam Continue reading

Ubiquity gear replacing BT HomeHub router

These are my notes from setting up Ubiquity wifi access point and router to replace the horrible BT HomeHub 5.

What’s wrong with BT HomeHub?

  • It can’t hand out non-BT DNS servers (and BT’s DNS servers MITM your queries and spoof NXDOMAIN if the reply has rfc1918 addresses in them. This is known and they “can’t” turn this off)
    • This means that I had to turn off the DHCP server and run my own on a raspberry pi. So I’m actually replacing two devices. It was already not a all-in-one-box solution.
  • The port forwarding database is not using unique key constraints, so you have to try and re-try adding port forwardings until you’re lucky and don’t hit a key collision.
  • Only one wifi network. I want untrusted things (IoT) to be firewalled from the rest.
  • I want to deny Internet access to some IoT things. I don’t need them to be able to connect anywhere. HomeHub doesn’t support that.
  • Wifi range is not great. Not terrible, but bad enough that it doesn’t cover my home.
  • I don’t know if it’s to blame, but I did not have a good experience trying to set up a second AP to automatically roam Continue reading

Yubikey 4 for SSH with physical presence proof

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.

Install yubico-c, ykpersonalization, and yubico-piv-tool

sudo apt-get install help2man gengetopt libtool  Continue reading

Yubikey 4 for SSH with physical presence proof

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.

Install yubico-c, ykpersonalization, and yubico-piv-tool

sudo apt-get install help2man gengetopt libtool  Continue reading

How I made my custom keyboard layout on Linux and Windows

This post explains how to set up a keyboard layout the way I like it. It may not fit you at all, but it may give you ideas that would work for you.

In short: I remap Caps Lock to add some extra keys.

First a description of what my preferred keyboard layout is: I type Dvorak, but also want to occasionally use Swedish letters. There are a couple of Dvorak versions for Swedish, but since most of my typing is in English or programming I think they compromise too much on the accessibility of other keys to add these three Swedish characters.

Picture of my keyboard

So for decade or so I’ve been remapping Caps Lock to AltGr and holding down AltGr to add new keys. Typing “ö” quickly became fluent and easy, since it involves holding down one key with my left hand and pressing a key with another.

I used this method even before I switched to Dvorak, because if you’ve ever coded on a Swedish keyboard you should know how terrible it is. I know several Swedish programmers who use US keyboard layout all the time because of this, and simply live without being able to type proper Swedish.

Continue reading

How I made my custom keyboard layout on Linux and Windows

This post explains how to set up a keyboard layout the way I like it. It may not fit you at all, but it may give you ideas that would work for you.

In short: I remap Caps Lock to add some extra keys.

First a description of what my preferred keyboard layout is: I type Dvorak, but also want to occasionally use Swedish letters. There are a couple of Dvorak versions for Swedish, but since most of my typing is in English or programming I think they compromise too much on the accessibility of other keys to add these three Swedish characters.

Picture of my keyboard

So for decade or so I’ve been remapping Caps Lock to AltGr and holding down AltGr to add new keys. Typing “ö” quickly became fluent and easy, since it involves holding down one key with my left hand and pressing a key with another.

I used this method even before I switched to Dvorak, because if you’ve ever coded on a Swedish keyboard you should know how terrible it is. I know several Swedish programmers who use US keyboard layout all the time because of this, and simply live without being able to type proper Swedish.

Continue reading

Building pov-ray on raspberry pi

This is just notes in case I need to do this again. It’s for my QPov project.

sudo apt-get install autoconf libboost-all-dev libjpeg-dev libtiff-dev libpng-dev
git clone https://github.com/POV-Ray/povray.git
cd povray
git checkout --track -b 3.7-stable origin/3.7-stable
cd unix
./prebuild.sh
cd ..
./configure --prefix=$HOME/opt/povray COMPILED_BY="My_Name on RPi"
make
make install

Building pov-ray on raspberry pi

This is just notes in case I need to do this again. It’s for my QPov project.

sudo apt-get install autoconf libboost-all-dev libjpeg-dev libtiff-dev libpng-dev
git clone https://github.com/POV-Ray/povray.git
cd povray
git checkout --track -b 3.7-stable origin/3.7-stable
cd unix
./prebuild.sh
cd ..
./configure --prefix=$HOME/opt/povray COMPILED_BY="My_Name on RPi"
make
make install

Scraping data from a BT home hub 5

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Current byte counters on the Internet interface (down/up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml 
    | sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/1 2/g;p};d'

Current synced up speeds in bps (down / up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml 
    | sed -r '/status_rate/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/2 1/g;p};d'

Misc note

First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.

curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js | sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/1 2/g;p};d'

But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.

In conclusion

Yet another reason these routers are completely retarded. Other examples:

Scraping data from a BT home hub 5

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Current byte counters on the Internet interface (down/up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml \
    | sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'

Current synced up speeds in bps (down / up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml \
    | sed -r '/status_rate/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/\2 \1/g;p};d'

Misc note

First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.

curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js \
    | sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'

But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.

In conclusion

Yet another reason these routers are completely retarded. Other examples:

How to boot an encrypted system safely

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

The threat model

You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.

Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.

The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.

You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.

This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.

Overview of the solution

First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)

Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading

How to boot an encrypted system safely

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

The threat model

You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.

Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.

The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.

You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.

This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.

Overview of the solution

First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)

Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading

Raytracing Quake demos

I decided to combine these two problems into one solution:

  • Modern CPUs are idle way too much of the time. Why have all this computational power if we don’t use it?
  • I have these funny old Quake demos that there’s no good way to convert to something playable.

My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.

Quake scene rendered in POV-Ray
Quake scene rendered in POV-Ray. Two more here and here.

Quake is closing in on 20 years old now, and it’s starting to get annoying to make it even work. Yes, it’s opensource, and there are a couple of forks. But they’ve also always been annoying to get working. Hell, even GLQuake in Steam won’t start for me. (yes, I know this is a bad reason, but I’m doing this for fun)

Many of the tools and resources are hard to find. I couldn’t find ReMaic, and only found lmpc thanks to FreeBSD having made it a package. Converting demos to an ASCII format using lmpc helped in confirming that my file parsing was correct.

The steps needed to render a demo:

  1. Extract .mdl files to .pov and .png (skin) files.
  2. Extract .bsp files to .pov Continue reading

Raytracing Quake demos

I decided to combine these two problems into one solution:

  • Modern CPUs are idle way too much of the time. Why have all this computational power if we don’t use it?
  • I have these funny old Quake demos that there’s no good way to convert to something playable.

My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.

Update: New better screenshot:

Quake scene rendered in POV-Ray

Quake scene rendered in POV-Ray Quake scene rendered in POV-Ray. Two more here and here.

Quake is closing in on 20 years old now, and it’s starting to get annoying to make it even work. Yes, it’s opensource, and there are a couple of forks. But they’ve also always been annoying to get working. Hell, even GLQuake in Steam won’t start for me. (yes, I know this is a bad reason, but I’m doing this for fun)

Many of the tools and resources are hard to find. I couldn’t find ReMaic, and only found lmpc thanks to FreeBSD having made it a package. Converting demos to an ASCII format using lmpc helped in confirming that my file parsing was correct.

The steps needed to render a demo:

  1. Extract .mdl files to .pov and .png (skin) files.
  2. Extract . Continue reading

My mechanical keyboard

You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.

I spend a lot of time typing on a keyboard, yet I have never looked into what keyboard would be best for me. There are natural keyboards and kinesis keyboards that people speak well of, but I spend a lot of time typing on laptops and don’t want a completely different setup for laptop and desktop.

I had the same concern before switching to Dvorak back when I was a consultant (thus often using other peoples managed machines), but happily switched after verifying that even on a locked down Windows machine as a non-admin user I could select Dvorak. Also there are adapters from Dvorak to Qwerty that I could use in extremely locked down environments such as the CCIE lab (they required a doctors note though, long story).

So it would have to be a keyboard that looks like a normal one. Preferably with Dvorak on the keycaps. It seems that mechanical keyboards are all the rage, so I thought I’d give that a go.

I ended up buying a 88 key Cherry MX brown-based Continue reading

My mechanical keyboard

You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.

I spend a lot of time typing on a keyboard, yet I have never looked into what keyboard would be best for me. There are natural keyboards and kinesis keyboards that people speak well of, but I spend a lot of time typing on laptops and don’t want a completely different setup for laptop and desktop.

I had the same concern before switching to Dvorak back when I was a consultant (thus often using other peoples managed machines), but happily switched after verifying that even on a locked down Windows machine as a non-admin user I could select Dvorak. Also there are adapters from Dvorak to Qwerty that I could use in extremely locked down environments such as the CCIE lab (they required a doctors note though, long story).

So it would have to be a keyboard that looks like a normal one. Preferably with Dvorak on the keycaps. It seems that mechanical keyboards are all the rage, so I thought I’d give that a go.

I ended up buying a 88 key Cherry MX brown-based Continue reading

Secure browser-to-proxy communication – again

I've previously blogged about a secure connection between browser and proxy. Unfortunately that doesn't work on Android yet, since except if you use Google for Work (an enterprise offering) you can't set Proxy Auto-Config.

This post shows you how to get that working for Android. Also it skips the stunnel hop since it doesn't add value and only makes Squid not know your real address. I'm here also using username and password to authenticate to the proxy instead of client certificates, to make it easier to set up.

Hopefully this feature will be added to Chrome for Android soon (bug here) but until then you'll have to use the Android app Drony.

First, why you would want to do this

  • You have machines behind NAT, and a proxy that can see the inside while still accessible form the outside

    This way you can port forward one port from the NAT box to the proxy, and not have to use different ports everywhere. I'll call this proxy corp-proxy.example.com.

  • You have servers that don't implement their own authentication, and you want the proxy to do it for you

    If you set up so that the only way to Continue reading
1 4 5 6 7