I’m currently in the process of doing some upgrades to the website, so it might look and behave different from usual. Bare with me…

This is my first “real” post to the site using Wordpress. The previous one covered the details on how I converted posts and comments from Sphpblogs file-based aproach, to Mysql used by Wordpress.

It will take some time for me to add the material from the last site here, but I will hopefully have it done this week. If you are looking for something that you can not find, don’t hesitate to contact me, and we’ll solve that.

There will probably be a somewhat different aproach on the site. I will try to have lengthy posts posted like this, and smaller “thoughts” posted as “asides” (look below). We’ll see if that works out though..

Meantime, take care ..

update By the way, the URL to the RSS-feed has changed..

Today I finally managed to migrate this site to wordpress. Here’s a rough description of how I did it.

First off, I installed wordpress according to the official documentation. I then modified the original sphpblog2wp script so that it managed to convert the brackets “[]” used by sphpblog to ordinary html. I also added support for sending arguments to the script so that converting my roughly 50 posts wouldn’t be a horrific task. Have in mind that the modified script is very rough (!), but it worked for me.

Here is an example where I convert all posts (and comments) of march 2005,

onesome# php sphpblog2wp-v2.php /usr/local/www/data/content/05/03/
Connecting to MySQL...
Starting run for /usr/local/www/data/content/05/03/...
Resource id #7Post: /content/05/03//entry050317-234712.txt, inserted as ID 125
Resource id #9Post: /content/05/03//entry050317-234829.txt, inserted as ID 126
Resource id #11Post: /content/05/03//entry050317-235559.txt, inserted as ID 127
Resource id #13Post: /content/05/03//entry050317-233547.txt, inserted as ID 128
Resource id #15Post: /content/05/03//entry050101-233547.txt, inserted as ID 129
Resource id #17Post: /content/05/03//entry050323-233501.txt, inserted as ID 130
Resource id #19Post: /content/05/03//entry050328-131750.txt, inserted as ID 131
Resource id #21Post: /content/05/03//entry050330-002739.txt, inserted as ID 132
Resource id #23Post: /content/05/03//entry050322-094353.txt, inserted as ID 133
-- Comment: /content/05/03//entry050322-094353/comments/comment050322-125059.txt, inserted as ID 31
-- Comment: /content/05/03//entry050322-094353/comments/comment050322-132056.txt, inserted as ID 32
Resource id #30Post: /content/05/03//entry050317-233812.txt, inserted as ID 134
Resource id #32Post: /content/05/03//entry050317-234018.txt, inserted as ID 135
Resource id #34Post: /content/05/03//entry050317-234116.txt, inserted as ID 136
Resource id #36Post: /content/05/03//entry050317-234459.txt, inserted as ID 137

I am now running a modifed version of a theme called squible.

I've just uploaded my BSc thesis with the subject Sensitive data on a Mobile Device - An analysis of risks, threats and their mitigations. The thesis was finished in late June, but somehow I haven't uploaded it. The following is simply a snip of the entry available under the documents-category.

—
Sensitive Data on a Mobile device - An analisys of Risk, Threats and their mitigations.

Bachelor of Science Thesis

Collaboration with Svenska Handelsbanken and The Royal Institute of Technology
10 academic points, which is 10 weeks of active work

Download as PDF
—

Last Friday, I was scheduled to do an interview with the Swedish police regarding cybercrime and digital forensics. In order to perform well, I figured I needed some kind of recording device. And instead of buying expensive equipment for just that purpose, I bought a ZAP - An MP3-player with music-playback functionallity (doh!) and recording functionallity et cetera.

When I'd recorded an hour long wave-file, I synced the file with my desktop (which btw was flawlessly detected by kubuntu as a mass storage device. Beatiful), to realise that I could fast forward in the wave-file. Lame wasn't able to convert it to wave, and xmms wasn't even able to play the file.

This is how I converted the odd wave-file format to ordinary wave, and then to mp3. Nothing special, but I'll probably have to do it again some time.

neewt@twosome:~/Desktop$ file rec01.wav
rec01.wav: RIFF (little-endian) data, WAVE audio, IMA ADPCM, mono 8000 Hz
neewt@twosome:~/Desktop$ sox rec01.wav -s test.wav
neewt@twosome:~/Desktop$ lame test.wav Intervju-Rikspolisstyrelsen.mp3
LAME version 3.96.1 (http://lame.sourceforge.net/)
CPU features: MMX (ASM used), 3DNow! (ASM used), SSE
Using polyphase lowpass filter, transition band: 3000 Hz - 3097 Hz
Encoding test.wav to Intervju-Rikspolisstyrelsen.mp3
Encoding as 8 kHz 8 kbps single-ch MPEG-2.5 Layer III (16x) qval=3
Frame : CPU time/estim : REAL time/estim : play/CPU : ETA
90809/90811 (100%): 1:15/ 1:15: 1:21/ 1:21: 86.991x: 0:00
average: 8.0 kbps

ReplayGain: +0.2dB
neewt@twosome:~/Desktop$

The file now plays correctly in both xmms, and in the wonderful mediaplayer amarok. The wave-file too, if I would like that.

I recently faced a task of creating an OpenSSL certificate, that in turn should be signed by an CA (Certificate Authority). In my case, I were allowed to create my own CA, and thus signing my own certificate.

Here a “quick and dirty” way of creating these certificates..

First, we want to create the CA-key and certificate. We will use these to “sign” our own certificate later. I am in this example using OpenSSH version 0.9.7d-15.13.

cd /etc/ssl
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem

Now we’ll create a certificate request. This is much what it sounds like. A request for a signed certificate.

openssl req -new -config ./openssl.cnf -nodes -out ./server-req.pem \
-keyout ./server-key.pem

As you can see, this creates an certificate request (server-req.pem) and an key. Now we’ll sign the certificate-request (server-req.pem) with the CA-certificate (cacert.pem).

openssl x509 -req -in server-req.pem -out server-cert.pem \
-signkey server-key.pem -CA cacert.pem -CAkey private/cakey.pem \
-CAcreateserial -days 365

Done! The keys are now signed by your very own (not very trustworthy) CA. These can now be used with for example Apache (when using https) or, as in my case, by any other odd OpenSSL-implementation :)

I’ve been looking for a good way of keeping my Debian-systems up-to-date. However, there are no really good way of doing this, from what I’ve found. There is a problem with letting APT doing both update and installation/upgrade, without having the user to manually intervine. There are no way of the user to know what packages are installed, and if the system needs further configuration or even an restart (if for example the kernel itself is updated/patched).

So, the most practical solution I’ve come up with, is to be informed when updates are available, and then doing the actual upgrade myself. One way of doing this is to use the package cron-apt, which just downloads the new version of the package, but never installs them. It then sends a mail to a predefined user, telling him what packages are ready to be installed.

However, I ended up with writing my own little shell-script. It’s very basic, but does what it’s supposed to.

Update: I’ve made some changes to the script. During the night I was spammed with 19 mails saying that there were updates available, and I only need one mail to tell me that. So, the script no uses a temporary file to find out wether an mail has already has been sent or not. Also, I made som minor adjustments to the code in general.

#/bin/sh
# Debian update script, By G�an Sandahl goran@gsandahl.net http://gsandahl.net
# This script will inform you if there are updated available for your host.
# The script should be kind of self-explanatory. Run it in cron every 10 minutes.

# Set the email-adress that should recieve the update-information. Also, the file
# that contains the last sent mail. When updates are available, a mail is sent only
# if the mail that will be sent isn’t the same as the one in the file. That way
# we won’t get spammed if updates are available, but we are unable to update them.
mail_adress=”goran@gsandahl.net”;
lastsentmail=”/tmp/.lastsentmail.tmp”

# String of how the output is like when there are no updates
matchstring=”0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.”

result=$(echo “This probe was done: `date`” && echo “—” && apt-get update \
&& echo “—” && apt-get –simulate upgrade);

if !(echo “$result” : grep “$matchstring” &> /dev/null) && \
!(grep “$result” cat $lastsentmail &> /dev/null)
then
echo “$result” : mail -s “ `hostname`” $mail_adress
echo “Packages for update, mail sent”
echo “$result” > $lastsentmail
fi

Here’s how the mail looks like: http://gsandahl.net/pictures/debian-update.sh.png

I run this script on all of my Debian-boxes, and they send me an email when updates are available. The mail include the output of both apt-get update and apt-get –simulate upgrade. I recommend placing it in cron, somewhat like this:

twosome# echo “0-59/10 * * * * /home/neewt/debian-update.sh >> /dev/null” >> ~/temp_file
twosome# crontab ~/temp_file

This will run the script every 10 minutes, as the user you entered those commands. I run them as root, because no other user is by default allowed to issue apt-get. However, it might be smarter to give a user sudo-rights (by adding them to the group wheel) and allow them to only run this script with root-permissions. That’s probably how I will do it.

If you don’t have an MTA (Mail Transfer Agent, and is needed for the ‘mail’-command) at the server you intend to run this, I can suggest a tiny MTA. It’s in Debian Stable as the package ssmtp. Very easy to setup, and very easy to maintain.

Please tell me what you think, and/or if you do this another way.

Some time ago, we had a laboration accercise as a part of a course at the university, which involved setting up One time password-authentication. This accercise actuall failed because it was badly planned. However, to me it sounded cool, and I wanted to give it a shot. It would be awesome to be able to use one time passwords for remote logins when sitting on a (insecure?) coffeyshop in, say thailand? My friend Johnny later told me that he’d implemented the intended setup, so I aimed to do the same.

Using Debian makes this task easy (as always). I’d like to point out that I’m (still) running the stable Woody-set, but if you’re running Sarge there will probably not be to many differences.
First off, install the package opie-server (this will also include opie-client, as it’s a dependencie). This is the tools that makes this magic work. The Opie-server creates and maintains the OTP-keys, and Opie-client makes OTP-passwords off those keys (very roughly spoken). To be able to use this in a real login-procedure, we need to install libpam-opie. This gives us the tools to enable OTP-authentication for real, with for example SSH.

foursome:/# dpkg -l : grep opie
ii libpam-opie 0.21-7 Use OTP’s for PAM authentication
ii opie-client 2.32-8.1 OPIE programs for generating OTPs on client
ii opie-server 2.32-8.1 OPIE programs for maintaining an OTP key fil

Now, all we have to do is enable this PAM-module in the apropriate configuration file, which is /etc/pam.d/ssh. There are alot of different setups available for this, and some of them can be found in libpam-opie’s documentation (found in /usr/share/doc/libpam-opie/). In my configuration example, I will be able to login with my ordinary unix-password -OR- a One Time Password. Why? Simply because it would be extremely inconvinient for me if I had to use a OTP even though I login from my secure LAN, which is what I do in 90% of the cases. But, for those occasions when I don’t trust the computer I’m at (if I believe there might be keyloggers or somehting like that on them, in other words, any Windows-box :)), I can just choose to login with a OTP. To have this configuration, be sure to have the following “auth”-lines in your /etc/pam.d/ssh.

auth required pam_nologin.so
auth required pam_env.so # <1>
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so

Basicly this tells us that unix-passwords are sufficent, so are opie OTP-passwords. If neither are met, the login will be denied. Also, be sure to enable PAM-authentication in /etc/ssh/sshd_config by setting UsePrivilegeSeparation no and PAMAuthenticationViaKbdInt yes, and restart sshd.

Now, we are at the step of creating the OTP-keys and passwords.

test@foursome:~$ opiepasswd -c -f
Adding test:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase: ******
Again new secret pass phrase: ******

ID test OTP key is 499 fo7385
SKIN TRIO FARM OATH MA SHE
test@foursome:~$

This should be done in a secure enviroment, and not from remote, as I’m doing here.
The last two lines tells us that the OTP for matching sequencenumber 499 and with seed fo7385 is “SKIN TRIO FARM OATH MA SHE”. So logging in from remote to this host will look something like this (first, the unix-password is prompted, and simple enter will skip that)

$ ssh test@192.168.0.10
Password:
otp-md5 499 fo7385 ext, Response:
Linux foursome 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 unknown

test@foursome:~$

But how would we know the One time password when we are at a remote location? Well, either you can use some sofware that can calculate the password when configured with the secret passphrase and OTP sequence number. Or, you can have a list of passwords printed out. To get a range of sequence-numbers, all you have to do is something like this

test@foursome:~$ opiekey -n 10 498 fo7385
Using the MD5 algorithm to compute response.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
489: GILT ROTH VINE CHOU LYNN THAN
490: SILO BAIL ULAN TELL NEWT ITEM
491: ROOD CLOD HOWE BONG LUGE WIN
492: DRAW NIT HOOD RACY NOVA SHAG
493: REIN ROAD HERB LEAK MAID KANT
494: SAG AIRY OMIT VIEW GLOM ECHO
495: CRIB ENDS GUST ACHE JOG BAH
496: CANE IRE BEET MORN CUP BREW
497: SUNK IDLE HAWK HUGH KNEE FIG
498: WET RUDY ORGY GRAY ARAB SET

This will give us 10 OTP’s.

I’ve probably forgotten something, and if you notice what, please inform me. I think this is a good way of adding a bit of extra security to SSH and remote-access. If my Ericsson T610 would support a decent version of Java I’d be happy, because then I could run a sofware-OTP-calculator, such as jotp