TylerBurton.ca

These days you really need a strong, unique password for almost everything you do online. To make matters even worse for the average user, security nuts will tell you that you actually need a different password for essentially every account you hold. Why? Consider the following scenario:

Little Timmy signs up for Facebook using his super secret password @wesomeS@auce3!. This password is so strong and good that even he can hardly remember it. Then he wants a Twitter account so he goes and signs up there using the same password. Some time passes and Timmy’s Twitter account is hacked. Using his associated e-mail address they try the same e-mail and password on Facebook (because it is a popular website that most people belong to) and lo and behold they have access. Little Timmy’s virtual life falls apart around him.

Think I’m being paranoid? Take a look at these examples and adjust your tin foil hat accordingly.

What to do?

So what can you do about it? Well for one don’t use the password above because now it is all over the internet. For two use strong unique passwords for each website you care about. What do I mean by that? Well in the above example Timmy clearly cared about both Facebook and Twitter so he should have used different passwords for each. That way when his hypothetical Twitter account became hacked the attackers couldn’t use the same password to gain access to his Facebook account. That said it is always good to have a throw away password or two to use on those one-off websites that you will either never visit again or don’t care if they get compromised. Third either remember all of these unique passwords in your super genius conehead sized brain or use a password safe to make it easy on yourself.

Password Safes

A password safe is essentially a program that allows you to maintain a number of different passwords while only having to remember one. Essentially you enter a master password into the program and this acts as your key to unlock all of your others passwords. That way you (technically) only have to remember one password at a time (the master password) and you only have one password to change on a regular basis (although you should obviously refresh your other passwords every so often as well). A number of these programs exists (such as LastPass, etc.) but personally I prefer KeePass.

KeePass

KeePass comes in two flavours: version 1.x (which is technically now legacy) and version 2.x (which is current). Beyond feature set the biggest difference is that version 2.x requires the .NET Framework (or Mono) and version 1.x doesn’t. For the purposes of this post I’ll be focusing on version 2.x.

KeePass has a number of great features that make it indispensable in my day-to-day computing life. While the full feature list is actually quite long I’ll just list the most useful or important ones here:

• Open source which means that the source code has been looked at and checked over for any sort of backdoor or other nonsense that a potentially evil author would code into it. This is very important when you’re considering placing all of your password eggs in one proverbial basket.
• When you create a new password entry you can store any sort of arbitrary information along with it:
  

  New Password Entry

• All of your passwords are stored completely encrypted including all comments, website URLs and user names. This is incredibly convenient because it allows you to safely do things like create an entry containing you credit card information. Never again will you have to hunt down your wallet to make that spur of the moment online purchase!
• It is portable – you can run it straight off of a USB stick, no installation required!
• Rule based, strong password generator. Having a long, strong, password is very important but remembering one is very hard. Instead why not have KeePass generate a per-website, completely random, strong  password for you? Using a website that for some reason doesn’t like special characters or only allows up to a 12 character password? No problem just change the rule set you use when you generate that particular password.
  

  Password Generator

  Here are some examples of random passwords I just generated now:

  

  Lots of random passwords!

• Cross-platform – KeePass has implementations on almost every platform. Version 1.x runs on Windows, Mac and Linux (via KeePassX). Version 2.x runs on Windows, Mac and Linux (using Microsoft’s .NET or the open source Mono). There are even versions of it for Android, iPhone and others.
• Auto-type – this is by far the best feature. Even if you, for some reason, didn’t want to use any other feature that KeePass has to offer, its Auto-type functionality alone is worth the install. Essentially you tell KeePass what window to look for (for instance Firefox browsing my bank’s website) and how it should type things for you (usually user name, tab, password, enter). Then you set up some key combination you want to use (like Ctrl + Alt + A) and KeePass does all of the typing for you. Now when I want to enter one of those crazy strong and super random passwords I don’t have to type it out or even copy and paste. I simply click my mouse in the user name field and press Ctrl + Alt + A. The genius of this is that it can work for all accounts on your computer not just website ones – for instance I use it at work to keep track of my passwords for our internal programs.

WHO IS PAYING YOU?

All of this praise may make it seem like I’m getting paid to write this article but that isn’t the case (not that I would turn the money down mind you *hint hint*…). KeePass is just one of those programs I use daily that does so many things right I can’t help but like it. So in conclusion give it, or a similar password store, a try and make your online presence more resilient to password hacking. Let me know which password safes you think are awesome.

Ever wanted your computer to be on when you need it but automatically put itself to sleep (suspended) when you don’t? Or maybe you just wanted to create a really elaborate alarm clock?

I stumbled across this very useful command a while back but only recently created a script that I now run to control when my computer is suspended and when it is awake.

#!/bin/sh
t=`date –date “17:00″ +%s`
sudo /bin/true
sudo rtcwake -u -t $t -m on &
sleep 2
sudo pm-suspend

This creates a variable, t above, with an assigned time and then runs the command rtcwake to tell the computer to automatically wake itself up at that time. In the above example I’m telling the computer that it should wake itself up automatically at 17:00 (5pm). It then sleeps for 2 seconds (just to let the rtcwake command finish what it is doing) and runs pm-suspend which actually puts the computer to sleep. When run the computer will put itself right to sleep and then wake up at whatever time you specify.

For the final piece of the puzzle, I’ve scheduled this script to run daily (when I want the PC to actually go to sleep) and the rest is taken care of for me. As an example, say you use your PC from 5pm to midnight but the rest of the time you are sleeping or at work. Simply schedule the above script to run at midnight and when you get home from work it will be already up and running and waiting for you.

I should note that your computer must have compatible hardware to make advanced power management features like suspend and wake work so, as with everything, your mileage may vary.

It is a pretty common practice to use the command dd to make backup images of drives and partitions. It’s as simple as the command:

dd if=[input] of=[output]

A while back I did just that and made a dd backup of not just a partition but of an entire hard drive. This was very simple (I just used if=/dev/sda instead of something like if=/dev/sda2). The problem came when I tried to mount this image. With a partition image you can just use the mount command like normal, i.e. something like this:

sudo mount -o loop -t [filesystem] [path to image file] [path to mount point]

Unfortunately this doesn’t make any sense when mounting an image of an entire hard drive. What if the drive had multiple partitions? What exactly would it be mounting to the mount point? After some searching I found a series of forum posts that dealt with just this scenario. Here are the steps required to mount your whole drive image:

1) Use the fdisk command to list the drive image’s partition table:

fdisk -ul [path to image file]

This should print out a lot of useful information. For example you’ll get something like this:

foo@bar:~$ fdisk -ul imagefile.img
You must set cylinders.
You can do this from the extra functions menu.

Disk imagefile.img: 0 MB, 0 bytes
32 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x07443446

        Device Boot      Start         End      Blocks   Id  System
imagefile.img1   *          63      499967      249952+  83  Linux
imagefile.img2          499968      997919      248976   83  Linux

2) Take a look in what that command prints out for the sector size (512 bytes in the above example) and the start # for the partition you want to mount (let’s say 63 in the above example).

3) Use a slightly modified version of the mount command (with an offset) to mount your partition.

mount -o loop, offset=[offset value] [path to image file] [path to mount point]

Using the example above I would set my offset value to be sector size * offset, so 512*63 = 32256. The command would look something like this:

mount -o loop, offset=32256 image.dd /mnt/point

That’s it. You should now have that partition from the dd backup image mounted to the mount point.

I recently re-built an older PC from a laundry list of Frankenstein parts. However before installing anything to the hard drive I found I wanted to check it for physical errors and problems as I couldn’t remember why I wasn’t using this particular drive in any of my other systems.

From an Ubuntu 12.04 live CD I used GParted to to delete the old partition on the drive. This let me start from a clean slate. After the drive had absolutely nothing on it I went searching for an easy way to test the drive for errors. I stumbled across this excellent article and began using badblocks to scan the drive. Basically what this program does is write to every spot on the drive and then read it back to ensure that it still holds the data that was just written.

Here is the command I used. NOTE: This command is destructive and will damage the data on the hard drive. DO NOT use this if you want to keep the data that is already on the drive. Please see the above linked article for more information.

badblocks -b 4096 -p 4 -c 16384 -w -s /dev/sda

What does it all mean?

• -b sets the block size to use. Most drives these days use 4096 byte blocks.
• -p sets the number of passes to use on the drive. When I used the option -p 4 above it means that it will write/read from each block on the drive 4 times looking for errors. If it makes it through 4 passes without finding new errors then it will consider the process done.
• -c sets the number of blocks to test at a time. This can help to speed up the process but will also use more RAM.
• -w turns on write mode. This tells badblocks to do a write test as well.
• -s turns on progress showing. This lets you know how far the program has gotten testing the drive.
• /dev/sda is just the path to the drive I’m scanning. Your path may be different.

I have been meaning to write up a short post about this for a while, but thanks to the start of a new school term I have been a bit busy.

If you have seen the security news in the last month or so you will know that RSA-768, a 768bit or 232 decimal digit asymmetric key, has been broken (factored). This has important security repercussions for all of us because it is these public key algorithms like RSA, or ElGamal, that guard our online transactions, and e-mail conversations.

So just how much should we be worrying about this newest ‘break’?

When it comes to public key cryptography it is important to remember that their security is essentially in our inability to factor them quickly. The only real way that public key cryptography could be considered broken is if we find a way to drastically increase our ability to factor massive prime numbers. Thankfully that time is still far away. In fact after digging into the news articles a little more it quickly became obvious that the feat of factoring a 768bit key, while incredibly difficult, was inevitable.

So what now?

Nothing. Currently the most popular asymmetric key size in use is 1024bit, which represents a work load increase of over 1000 times when compared to RSA-768. Still afraid? Check out the list of RSA challenges that have been issued over the years and just how few have actually be ‘broken’.

In choosing my current PGP/GPG public key I decided to go with a 2048bit one, which, according to all accounts, will be safe for years to come. As always, I recommend checking out this site for the most up to date key length recommendations from the world’s foremost cryptography experts.

There you have it

With the knowledge that you’re online transactions are still perfectly safe you have nothing to worry about.

For reference, the currently recommended key lengths for asymmetric encryption algorithms, like RSA, are 1976bit (BSI recommendation for use after 2016), 2048bit (NSA recommendation for current and future use), and 2432 (ECRYPT II recommendation for protection until at least 2030).

I honestly don’t remember how I came across this awesome project but I am certainly glad I did! XMLVM is a software toolchain which is designed to take cross-compilation to a whole new level. Rather than just offer OS portability, XMLVM is able to actually offer OS, hardware and programming language portability.

Here’s how it works: you write a program in a programming language of your choice, say .NET. Once compiled you send it through the first step of XMLVM which analyzes the produced CIL and creates an XML document out of it. It would end up looking like something similar to this:

<clr:ldc type=”int” value=”2″/>
<clr:rem/>

Next this XML document is fed through what XMLVM calls the data-flow analysis (DFA). Basically you can think of DFA as a pseudo-language that simply describes the operations that the program is trying to perform. Once in this form the code is considered portable. XMLVM then lets you pick a target, for example the Java JVM, and automates the conversion of the DFA to an XML representation of the java byte code. From there it’s an easy conversion back to true java byte code.

Now think about this in practical terms for a second. That means that you can write a program in a .NET language (C#), and have it automatically ported and compiled to Java. Expand on this a bit and consider that you can write the same program in any language and have it converted to any other language. Currently the XMLVM offers a lot of other cool options as well and has actually been designed a lot with mobile devices in mind. Now you can write a program once and have it automatically converted to Objective-C, to run on the iPhone, and to Java to run on Android.

I really hope that this project continues to improve and I will certainly be watching it closely. It is still very early in development but from what I have seen it is simply brilliant.

Well, at least for now. Check out the site to see what everyone thought about the experiment as a whole.

Check it out here: The Linux Experiment

That’s right an update to your favourite hash verification program!

This update includes a few new features that some of you might find useful. It also includes help documentation which walks you through how to use it!

New Features

• Menu strip for even easier use
• Export features allows you to automatically write all of the hashes to a single file
• About dialog that provides information about the program
• Help documentation

Requirements:

• All platforms: .NET 2.0+ / Mono, a graphical display
• *nix platforms: WinForms (identified as System.Windows.Forms)

As always the binary only package contains just the executable, whereas the all package contains the source code as well.

Some of you may remember an old Windows program of mine called Hash Verifier. It was a graphical utility that allowed people to generate hashes of their files, and then compare those to known hashes, ensuring that their files had not been corrupted. Well in recent months my foray into the world of Linux has finally taken me into the realm of programming on that platform. Being primarily a .NET developer on Windows I have found the Mono project on Linux to be an absolute breath of fresh air.

“Monkey” project

The Mono project is an open source implementation of Microsoft’s .NET common language runtime and a C# compiler. On Linux the easiest way to program in a Mono language is within the project’s own integrated development environment called MonoDevelop.

C is a sharp language

C# is a very powerful programming language that falls somewhere between C and Java in terms of syntax. While my experience with C# has been limited in the past, I was easily able to pick it up quickly thanks to my background in both C and Java, as well as fellow .NET language Visual Basic.

The challenge

Digging up an old .NET project of mine, Hash Verifier, I decided to challenge myself to port the application to Mono. In order to do this I needed to accomplish the following:

• The original application ran on Microsoft’s .NET on the Windows platform. The new application must run on both .NET on Windows and Mono on supported platforms.
• The original application was written in Visual Basic. The new application must be written in C#.
• The original application has a GUI powered by the native Windows.Forms. The new application needs to have a GUI that works in a similar way on all platforms.
• The new application must be able to fully re-create all of the old application’s features and functions.

Porting = easy

I must say that porting this old application to C#/Mono was a relatively straightforward task. Although I had plenty of GUI toolkits to choose from I ended up sticking with the existing Windows.Forms. Once I had decided on using Windows.Forms as the basis for my GUI (WinForms is a free and open source implementation for non-Windows users!) I set out to create my new application. I was literally able to open the old Visual Basic GUI designer file, copy the code into my Mono workspace, change the syntax to C# and voila it worked!

In fact the only tricky part was trying to figure out a compatibility issue that .NET/Mono 2.0 seem to have with the new Windows Presentation Foundation (WPF). I’ll save you the gory details but basically drag and drop functionality would not work. I eventually rectified this issue by including a compiler flag telling .NET/Mono to execute the form in single thread apartments mode. You can see where I did this in my code by looking right above my static main function:

[STAThreadAttribute]
public static void Main()
{
…
}

Final result

With the application complete I must say I am impressed. Crafting and running applications for Mono is extraordinarily simple to do, seems very powerful, and the application itself only takes up a couple of MiB to run. In the future I definitely plan on doing more of this type of development now that I am using different operating systems every day.

Hash Verifier

If you are still using the old version of Hash Verifier, or if you would just like to try it out you can download the new Hash Verifier in two different ways. The package marked binary only contains just the program itself and the relevant documentation. The package marked all contains both the program, documentation as well as the source code.

Requirements:

• All platforms: .NET 2.0+ / Mono, a graphical display
• *nix platforms: WinForms (identified as System.Windows.Forms)

Over at The Linux Experiment we have decided to shake things up a little bit by forcing a change of desktop environments on everyone. Whatever we have been using thus far as to go for at least two weeks. If you care to follow along you can start by reading about how my transition from KDE to GNOME went below.

Check it out here: The road to GNOME