.:[ a broken lcd ]:.

The Smart Card Project

Fri, 25 Sep 2009 08:23:00 +0100

For the past two weeks, I have been working on a new smart card project. I’m using a low-end card for development and testing; it is certainly not a cryptographically strong card. The card is a ZeitControl Professional BasicCard ZC5.4; it has a processor supporting public key cryptography using elliptic curves over the field GF(2^167) which in theory provides the same cryptographic strength as 1024-bit RSA keys, 128-bit AES for session keys, and SHA-1 as a message digest algorithm. As previously stated, not cryptographically very secure but at 6 USD per card, financially affordable to develop a basic smart card platform. Unfortunately, it uses a modified form of BASIC (called ZC-BASIC) as the card language (which may also be used to develop the terminal aka PC-side application). Fortunately, it includes a Java API to use for terminal applications.

I’ve finished writing 90% of the card software at this point, with only encryption and decryption routines needing to be finished. I also have a terminal driver written in ZC-BASIC done, which merely allows testing of finished card commands.

The current phase of the project is researching some methods for implementing encryption / decryption, and writing the Java terminal software. At this point, I have the card service finished to implement all the card commands currently coded. Unfortunately, my Java skills are weak so I still need some work learning Swing and more Java to finish the terminal.

For those interested, there is a sourceforge page up; the ZeitControl IDE (which is woefully simple) is available from the ZeitControl website.

So close...

Mon, 31 Aug 2009 19:24:28 +0100

I picked up an episode of a TV show off the iTunes store. I figured since the music was all DRM free, so would the videos. That is definitely not the case. Fortunately, a while back, I had torrented Requiem; however, the latest versions of iTunes render Requiem useless. Using an archival site, I found iTunes version 8.0, installed it on the Windows virtual machine I have on my laptop, and tried running Requiem. Nothing. Kept getting the error that the file could not be decrypted.Then I realized that I had forgotten to authorize that iTunes instance with my ITMS account. Once that was done, I was able to start decrypting the file. About five minutes (or less) later, my .MP4 was ready and worked fine on my eeePC running Linux, although mplayer didn’t have the h.264 codec while VLC worked just fine.

Now, what could an honest, law-abiding citizen such as myself possibly want with circumventing DRM? That’s stealing, isn’t it? Well the problem is that I only run Windows in a virtual machine. Sure, I buy music from ITMS, but that’s in a virtual machine where I then copy the (now) DRM-free music to my Linux music library, load it on to my iPod, and generally also transfer it to my OpenSolaris install on my laptop. Trying to play movies on the virtual machine is like trying to watch YouTube on dialup. Ain’t gonna happen. A decrypted file is necessary for me to actually watch the video files on anything other than a tiny iPod Classic screen.

the Java Tutorials

Mon, 31 Aug 2009 03:09:52 +0100

I started learning Java this week for a project idea I had. I’m using the Java Tutorials bundled with the NetBeans IDE StarterKit DVD. This is the first time in learning a new language (and I’ve used C, C++, perl, python, various flavours of BASIC, PHP, and assembly on a couple different platforms) that I’ve learned about inheritance before learning about basic I/O. Well, to be fair, I know how to output things to the screen. I just don’t know how to input them. That lesson comes in the second trail, “Essential Classes,” right after Exception Handling. What a crazy world.

*** DANGER: HERE BE POLITICAL RAMBLINGS ***

*** DON’T PANIC ***

Also, Japan has a different political party in power for the first time in 50 years. I’m skeptical, as I always am of polichickens as I find they’re the same the world over, but hopefully Japan doesn’t get screwed over by the promise of change as we seem to have been. All this last election did for me was reinforce the knowledge that both major political parties are different faces of the same coin, two poisons of different flavors, blah blah blah. You know, the Republicrat party.

Here is the second track, as promised. I guess I should mention...

Sat, 29 Aug 2009 19:52:00 +0100

Here is the second track, as promised. I guess I should mention that this one is called Arpanet (that’s right, a song called Arpanet!), and is the second track on the album.

I just picked up a new CD today called “Hackers Versus...

Sat, 29 Aug 2009 03:23:59 +0100

I just picked up a new CD today called “Hackers Versus Crackers” by Arthur Dellea. So far it seems like real good material and the best part is, it only costs $8. So I’m posting the last track (Unix And Linux) as a preview. The CD is a mix of electronica and some classic kind of rock type tunes. I’ll post another track tomorrow with a more rocky tune to it. And yes, I bought it based on the title (and previewing a couple of tracks).

// wrote these on the bus headed in and out of Golden, didn’t get a chance to // submit them...

Wed, 26 Aug 2009 00:45:00 +0100

// wrote these on the bus headed in and out of Golden, didn’t get a chance to
// submit them before now.

Current Location: on the bus in Downtown Denver (39.737 N / 104.993 W )
20090825 - 1100 MST / 1700 UTC

Listening to Vernor Vinge’s SALT (Seminars on Long Term Thinking) talk on why
the Singularity* might not happen. To risk restating the podcast, which is
available online (check out, as a matter of fact, The Long Now organization at
http://www.longnow.org), Vinge gives the following as reasons why the
Singularity might not in fact occur:

1. Mutually assured destruction actually does occur,
2. Our civilization enters into a golden age, and we enter into a form
of transhumanism that obsoletes the idea of the Singularity, or
3. A wheel of time scenario in which humanity cycles through periods
of long runs, only to suffer near extinctions requiring the rebuilding
of society (i.e. the Roman Empire on a global scale, a real mind twister
when you look at how globally interdependent the planent is now).

I’ve been tossing around the idea of the Singularity as being a force or major
event in the cyberpunk novel I’m very slowly working on, and it certainly
provides some food for thought concerning the future. He notes that “younger
older people”, with their wisdom, would be good for humanity, and that research
into productive longevity of the human race would be a good policy decision.
Their insights into events of the past and the course of history to that point
through their lives would help with the aims of the Long Now. This could be an
interesting scenario, much like the character of Conover, the sumggler lord, in
the cyberpunk novel Metrophage.

I’ve also noted preparations for my upcoming business trip do not take all of my
time or even always most. Operating under this parameter, I’ve decided to start
using some of my free and currently unemployed time to earnestly study Java and
how to write webapps, and integrating Java, PHP, and possibly perl or python or
(my ultimate goal), lisp. Definitely not Ruby though.

I have two small projects I want to develop first:

1. a java SFTP program to provide a unified, cross-platform tool for
providing a free SFTP GUI for whatever operating system being run (as
long as said OS runs Java) to learn some secure network programming
techniques in Java, and
2. a tumblr notepad like program to write new posts from your desktop
(maybe some sort of desktop widget) to learn how to do HTTP interfacing.

Both of these will work towards a program that was originally suggested to me
by a systems administrator at my last job (where I worked as a student network
administrator) that could provide the first real cash flow and name for Epic
Secure Data Systems, but I need to come up with some intermediate projects to
work on to lead me there.

We’ll see what happens down the road.

————————————————————————————————————————

Current Location: The bus (headed back to Denver) (39.738 N / 105.156 W)
20090825 - 1536 MST / 2136 UTC

Had a few more thoughts based on things that Vinge mentioned in the Q&A section
of his speech. Some of these he ended up more or less saying anyways. There are
certainly some interesting perspectives here though:

1. The possibility that the Singularity occurs as a rapid chain reaction,
or, as Vinge put it, “an explosion rather than progress.”

2.Think about the idea that the Singularity could (at least initially)
be isolated to the military-industrial complex.

3. The Singularity may be the byproduct of a new type of arms races.

4. If one side in an arms race gets to it first fast enough to take
advantage, could we end up with a one-sided singularity? If both get to
it at the same time, could an informational form of MAD (not necessarily
limited to the originl MAD idea of deterrence) take place? Either way.
how does this affect the outcome / situation regarding the Singularity?

5. One thing Vinge does talk about is a possibility assuming we begin the
colonoization of extraterrestrial locations (asteroids, planets, other
star systems): how does the Singularity propagate through to the remotest
systems? What effect does this have on the scenario and on society?

6. If the Singularity dominates mankind, how will that change the
social power structure? Maybe the Singularity won’t dominate, but “simply”
overthrow the status quo.

I’m falling asleep as I type, the result of no sleep last night. Hopefully, the
skipping of a night will allow to at least temporarily reset my sleep schedule.
Also I would like to expand more on this, but I’m barely coherent as it is. So
this will be it for now, and I will definitely be spell-checking again tomorrow.

Long Time No Post

Tue, 25 Aug 2009 15:11:00 +0100

Owing to my not-hacker adventures, I haven’t done much with the computer lately. But last night, due to a large bout of insomnia, I reinstalled OpenSolaris on my laptop (I was running kubuntu) and I saved 15G for OpenBSD. We’ll see how things turn out…

Sometimes, Wally, I wonder if I’m like you. Except instead of changing hardware, I change operating systems.

The Saga of the Secure Data Haven, Act III

Sun, 29 Mar 2009 03:41:46 +0100

With the Soekris and some OpenBSD network security projects that jumped up, I haven’t had time to work on the Secure Data Haven.

One of my fellow HOTSC hackers was able to get Gentoo installed (no hardened kernel yet) by sitting down and finangling with the kernel. The harddrives are currently being encrypted, a process that has taken over 24 hours so far and will likely take up to three days.

Once this is finished, with tor, OTR, freenet and the rest installed, then will come the part of the show where we get the hardened kernel working.

Useful BIOS Settings for the Soekris net4501

Sat, 28 Mar 2009 22:22:26 +0000

I am using my Soekris net4501 as an OpenBSD VPN / firewall / router (still getting it set up and configured, I hate it when school gets in the way of hacking) and found the following BIOS settings useful:

> set BootDelay=2

> set FastBoot=Enabled

With FastBoot enabled, you need to hit Control + P to enter the monitor pretty much while it’s posting, otherwise you’ll miss it. It boots a lot faster this way.

Other useful settings may be to change the baud rate or CPU speed. As per the manual, to display a list of parameters and their values, issue the command ‘show’.

That’s all for now, folks.

Updating the Soekris net4501 BIOS

Sat, 28 Mar 2009 21:45:00 +0000

It’s always best practice to make sure your device firmware is up to date. So, when I got my Soekris net4501 and saw it came with BIOS version 1.26a and the latest version is 1.33, I decided to update the firmware. I used the following software (keep in mind I am running OpenBSD 4.4 on the laptop I’m doing this from):

picocom - not in ports but on the web. My terminal software of choice.
lrzsz - needs to be installed from ports. It is under comms.

First thing is to download the latest image from the soekris website, which is named something along the lines of b4501_133.bin. Next, pull open the terminal, ensuring of course that your connection settings are correct. For the net4501, it’s 19200 baud, 8N1, no flow control. Also, you need to set your send command when starting picocom (—send-cmd). In this case, since we are using lrzsz, that means we use lsx. Make sure to pass the following options: -vv (verbose mode), -b (we are transferring a binary file, not an ASCII one!), and -X (use the Xmodem protocol).

Armed with this, I set out to update the BIOS. Obviously, upon booting you will need to drop into the monitor and use the download command. However, I kept getting NAK errors and the updates failed, looking like:

*** file: /usr/export/home/brokenlcd/b4501_133.bin
lsx -X -b -vv /usr/export/home/brokenlcd/b4501_133.bin
Sending /usr/export/home/brokenlcd/b4501_133.bin, 608 blocks: Give your local XMODEM receive command now.
Xmodem sectors/kbytes sent: 0/ 0kRetry 0: NAK on sector
Retry 0: Got 72 for sector ACK
Retry 0: NAK on sector
Retry 0: Got 6f for sector ACK
Retry 0: NAK on sector
Retry 0: Got 6f for sector ACK
Retry 0: NAK on sector
Retry 0: Got 6f for sector ACK
Retry 0: NAK on sector
Retry 0: Got 6f for sector ACK
Retry 0: NAK on sector
Retry 0: Got 6f for sector ACK
Retry 0: NAK on sector
Retry 0: Got 6f for sector ACK
Retry 0: NAK on sector
Retry 0: Got 2a for sector ACK
Retry 0: NAK on sector
Retry 0: Got 6f for sector ACK

While searching out the possible errors online, I discovered that there is an undocumented option to the download command. When I told the BIOS to ‘download -‘, it worked like a charm. It uploaded the 76k BIOS update and then I ran flashupdate. Now:

comBIOS ver. 1.33 20080103 Copyright (C) 2000-2007 Soekris Engineering.

and shortly thereafter, OpenBSD boots. Mission accomplished, batman.

The Advanced Projects Lab

Thu, 26 Mar 2009 03:02:29 +0000

I started setting up the advanced projects lab. Pictures and descriptions available at http://picasaweb.google.com/brokenlcd/

This is a joint effort by the Hackers of the Sacred Code and Epic Secure Data Systems.

Insecure Programming Techniques in Security Programs

Tue, 24 Mar 2009 23:40:49 +0000

They say a chain is only as strong as it’s weakest link, and there’s a problem when your security software is your weakest link.

I’m a huge fan of netcat for it’s sheer usefulness in doing network stuff (for a fun night of crossing your fingers, try dd | nc … ). Recently, I was going through the security folder of the OpenBSD ports tree, seeing what was available, and I came across cryptcat. I built it and was warned:

c++ -O2 -pipe -DGAPING_SECURITY_HOLE -DNETBSD -static -o cryptcat netcat.o farm9crypt.o twofish2.o -lstdc++
netcat.o(.text+0x33e): In function `gethostpoop’:
: warning: strcpy() is almost always misused, please use strlcpy()
netcat.o(.text+0x5e3): In function `getportpoop’:
: warning: sprintf() is often misused, please use snprintf()
netcat.o(.text+0xdd1): In function `dolisten’:
: warning: strcat() is almost always misused, please use strlcat()

(-DGAPING_SECURITY_HOLE allows you to bind a shell to cryptcat, useful when exploiting a system…)

I went through and audited the cryptcat source for these insecure functions, and came up with the following:

straylight% grep -n strcpy *.c > audit_report.txt
straylight% grep -n strcat *.c  » audit_report.txt
straylight% grep -n sprintf *.c  » audit_report.txt
straylight% wc audit_report.txt
12      99     702 audit_report.txt
straylight%

12 function calls where software (which can be potentially be bound to a shell!) utilizes a *known* insecure function. Go figure.

I think it’ll be an interesting exercise to attempt to overhaul the code. This will give me some experience securing existing code and opening my eyes to current security issues.

The Saga of the Secure Data Haven Part Deus

Tue, 17 Mar 2009 20:35:36 +0000

I could not get the hardened kernel to boot, and even the genkernel panicked on me. I ended up going with CentOS, where I may not have a working hardened kernel, but I do have a strong firewall, basic UNIX security, and an enforcing strict SELinux policy. (And yes, I am working on getting the kernel working, so it will work. Eventually.)

I managed to get dmcrypt working with aes-cbc-essiv:sha256, although I want to move (eventually) to serpent-ctr-essiv:sha256, which I feel provides stronger protection. Once I get truecrypt working, I may try a dual-layer or even triple-layer disk encryption, so if one ciphersystem is broken, the system will have another. Paranoia? Yes. But that’s the target audience of this machine anyhow.

After this is all done I think I’m going to roll it up into a custom Epic Secure Data Systems - Hardened CentOS distro to make life easier, as I’ve already had to pull stuff from other repos (tor, tsocks, apg, etc…) and custom compile other software (i.e. TrueCrypt and S/Key authentication, not to mention the kernel).

Setting Up A Secure Data Haven Machine Part 1

Thu, 12 Mar 2009 05:04:00 +0000

One of my latest projects has been setting up a secure data haven, which is basically a system to satisfy the following goals:

provide an anonymous tor / freenet proxy with encrypted streams into the system (ssh / ssl)
strengthen the tor and freenet networks by providing more traffic to throw in the mix, and, in the case of freenet, a large encrypted data store for use on the network
provide encrypted file storage for users (current plan is 256-bit Serpent encryption in CTR (ESSIV) mode or possibly truecrypt triple-cascade, i.e. Serpent-Twofish-AES)
provide encrypted network transport for users
provide a system with a high enough security level to withstand The Internet’s various assaults and provide customers / clients with the peace of mind for their data.

The first step was determining network hardware to be used. In this case, I’m using a gigabit switch with a fiber run to the storage machine (eventually the machines will be moved from an Asante 7-port copper / 1-port GBIC interface simple switch to an 8-port GBIC Cisco 3505). The machine will however have a pair of twisted pair copper interfaces as an alternative and providing a secondary connection to a (future) backup switch.

The next step is determining hard drive requirements. For this particular machine, I went with the following:

a 60G system drive (originally a 20G but that hard drive failed and the 60 was the only other size I had readily on hand).
a 40G freenet anonymous store hard drive (encrypted hard drive space to be added to the freenet anonymous data pool)
a 120G encrypted hard drive for users to store data on
a 160G encrypted backup drive, split between a 35G system backup partition and a 125G backup drive for user data

The gentoo installation proceeds fairly normally, except that I haven’t set up the home partition as I will do that when I hit the encryption phase. I emerged the hardened-sources, pciutils, and then configured the kernel. Then I rebuilt the toolchain. I am currently in the process of working the kinks out of the kernel and once I get that working I will post more details.

Encrypting a Hard Drive: the Down and Dirty

Wed, 11 Mar 2009 20:52:00 +0000

I’ve been working on a file server for a data haven project, which happens to have three encrypted hard drives and a fourth encrypted partition. Since a lot of time goes between when I encrypt hard drives (and I tend to write scripts to automate opening and closing encrypted filesystems), I always forget how to do it. So here’s the quick and dirty guide to encrypting filesystems / partitions in linux using dmcrypt / luks / cryptsetup (a nice descriptive sentence for the search engines).

cryptsetup luksFormat -y -c -h -s
cryptsetup luksOpen
mkfs.
mount /dev/mapper/
cryptsetup luksClose /dev/mapper/

This of course assumes you have cryptsetup with LUKS support installed.

My preference for a cipher happens to be serpent-ctr-essiv:sha256 but you can use whatever ciphers you have compiled into the kernel. By not including -s the key defaults to a size of 128 bits; my preference is 256.

Another option is to use truecrypt.

Changing the Theme

Tue, 24 Feb 2009 22:00:58 +0000

Courtesy of Wally (http://imwally.tumblr.com) I have a new theme called Nigredo (http://nigredotheme.tumblr.com/).

Impressions of OpenSolaris 2008.11 - One Week In

Sun, 01 Feb 2009 07:31:36 +0000

I’ve been running OpenSolaris on my Lenovo T61 ThinkPad for about a week now, so I figured I’d write about my first impressions. The first thing to mention is that I installed mainly for the development tools and ZFS performance, so my needs will not be the same as everyone else’s. In a nutshell, however, I will note the following points: * mp3 support, which requires the Fluendo codec to be downloaded and installed (and mostly likely you will need to read the README that comes with the download in order to pull this off), is very easy to pull off. Rhythmbox and Songbird both work fine with mp3 files now. AAC support, however, is not something I have gotten working. * I have video support through an installation of mplayer and vlc via the blastwave repository (http://www.blastwave.com) which requires some work to get running, namely in setting up the blastwave repo and in modifying the path to look for binaries in the csw directory. I do not have DVD support yet, however. * CD burning works perfectly. * I am quite comfortable using the installation for school - I don’t have any issues with firefox or openoffice not being able to do things. * I have 2G of RAM in my laptop, and yet my RAM usage is generally > 65 - 80%, quite often nearly maxed out. I plan on upgrading to 4G (mostly due to the fact that I run windows in a VM to have access to VisualStudio for some school projects). * Speaking of VMs, VirtualBox is amazing, especially with the addons CD installed and seamless mode engaged. * Power management required editing a file and rebooting the laptop, but once I got it working it works perfectly. * The default print manager was a headache; I had to install CUPS (which I did a quick writeup on, it should be the previous post) but once I got CUPS installed I have no problems with printing both to my school’s network printers or to my USB Brother laserjet printer. * The development environment is beautiful. I am now hooked on netbeans, although I still use jEdit for Perl and FORTRAN (for my FORTRAN class). Netbeans is a very rich development environment, and I even started using sun[cC][cC] over gcc/g++ (mostly because I’m not a huge fan of GNU - only because I don’t particularly care for the GPL or some of its leaders). I spent a while trying to find a decent IDE with profiling and memory allocation debugging support in Linux and found everything else lacking. I never really got into Eclipse, kdevelop is decent, geany had a few quirks I didn’t like, anjuta was a pain, so I was sticking to jEdit and a terminal window. Now not only have I found an IDE I like, it’s also cross-platform. Looks like I win. * I’ve had a hard time using my external 40G USB hard drive on the machine. * Generally wireless works well, however I sometimes have difficulty getting it to reacquire a connection after waking up from sleep and occasionally it will lose the connection. All in all, I really enjoy OpenSolaris and find it to be my laptop operating system replacement for ubuntu. I have ubuntu installed on the second partition on the laptop but I hardly ever use it. In fact, I think the last time I used it was to install netbeans. It definitely could use some work to make it more useable and approacheable to new users, but I’m hooked.

Enabling Power Management and CUPS Printing in OpenSolaris

Tue, 27 Jan 2009 19:12:42 +0000

The source documentation I used for these are:

http://opensolaris.org/os/community/printing/Documentation/cupsprint/ (CUPS printing)

http://blogs.sun.com/randyf/entry/solaris_suspend_and_resume_how (power management)

First let me say that both are now working perfectly, and that in Linux and BSD both I’ve had issues doing both. I’d say it took me 15 minutes a piece at most to get both working well.

Second, as a reference, I am using a Thinkpad T61 (7658-01U) so obviously, YMMV.

Power management:

Very straightforward: as root, edit /etc/power.conf and add the line

S3-support enable

(I added it right below the auto S3 line). Then run “pmconfig” and reboot. Once I rebooted, the system worked just fine. Every now and then, my wireless card acts a little funny or a takes a little longer to reacquire the AP, but that was a problem I had in both gentoo and Ubuntu, so it’s not surprising. The system takes at most 10-15 seconds to go into standby, and that’s with NetBeans, firefox, IRC, pidgin, evince with several PDFs, and Songbird open. As a quirk, I do have to hit the power button to resume again, it doesn’t autoresume on opening the laptop. C’est la vie. It comes up quickly and with xscreensaver installed, session locking works fine.

CUPS printing:

The source document will get you running with CUPS right away. Basically, make sure you install both CUPS packages via the package manager, add yourself to both “sys” and “adm” groups (my default group was sysadmin), and run the following:

print-service -s cups

svcadm enable svc:/application/cups/scheduler
svcadm enable svc:/application/cups/in-lpd

Then pull open firefox to http://localhost:631. For my printer (an HP LaserJet 9050) I had to download the PPD file from openprinting (http://www.linuxfoundation.org/en/OpenPrinting - for once the Linux Foundation was useful for something…) in order to get my print options working properly. The whole reason I switched to CUPS is that this printer requires you to print to tray 4 and the default GNOME print manager wouldn’t let me select a print tray. (Another side note, I use LPD printing for this printer…)

After filling in the add printer settings and selecting the custom PPD I had saved to a tmp folder, I entered my username and password in the authorization dialog and everything worked.

I hope this helps someone else…

NetBeans 6.5 loading on my laptop.

Tue, 27 Jan 2009 00:31:08 +0000

NetBeans 6.5 loading on my laptop.

This is the first time I installed OpenSolaris, during which I...

Tue, 27 Jan 2009 00:28:03 +0000

This is the first time I installed OpenSolaris, during which I managed to botch my grub install so badly (I was dual-booting Ubuntu and OpenSolaris) and had to re-install. Fortunately I didn’t lose any data in the process (that I know of, at least…) Larger version here.