Category Archives: Beginner

Android smartphone "Cubot Echo"

+ Very good overall quality compared to cheap price
+ Good display, camera quality and performance compared to cheap price
+ Large 5.0 inch display
+ HDR photography
+ Up to 128 GB micro sdcard, 16 GB preinstalled ROM
+ Plain Android user experience, no annoying modifications or add-ons
+ Cheap price

- Latest firmware only from June 2017 (does not include security update for WPA2 KRACK attack)
- Android 6 - though Android Version 6 still has the second largest user base as of October 2018
(s. https://developer.android.com/about/dashboards/)
- No 4G / LTE support
- A bit heavy

https://www.cubot.net/smartphones/echo/spec.html

Verdict

You can get this Android smartphone for as cheap as 60 EUR. If you can live with the security issues and the missing LTE support, you cannot get more value for your money elsewhere. Especially considering that the upcoming Google Pixel 3 flagship for 850 EUR guarantees Android security updates for only 3 years. You could buy 14 Cubot Echos for that price ...

Share

Security Guidelines

Physical Device Security

  • Always completely switch off your computer and lock your computer safely away, even if you just visit the bathroom. Screen saver locking or putting the laptop into sleep mode is not enough (Cold Boot Attacks).
    https://blog.f-secure.com/cold-boot-attacks
  • Don't display anything important on your computer screen (Van-Eck-Phreaking).
    https://twitter.com/windyoona/status/1023503150618210304
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Don't type in anything important on your keyboard or touchscreen.
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Install USBGuard to protect against unknown USB devices.
    (Note that USB IDs and serial numbers of USB devices can easily be replicated. Once an attacker knows the type of USB device you are using, and its serial number, USBGuard can easily be bypassed. That means: Never lend someone your USB stick, never accept a USB device from untrustworthy persons ... which means anyone.)

Software Security

  • Always use fingerprints to identify certificates for important web services. Don't rely solely on CAs.
    https://www.theregister.co.uk/2018/09/06/certificate_authority_dns_validation/

Useful Links

  • Ubuntu Security
    https://www.ubuntu.com/security
  • Ubuntu Security Features Matrix
    https://wiki.ubuntu.com/Security/Features
  • End User Device Security Guidance for Ubuntu 18.04 LTS from the National Security Center (a part of GCHQ)
    https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
Share

Password security - it is not about length or complexity

Passwörter sollten nach Möglichkeit nicht im Klartext am Bildschirm angezeigt werden. Neben dem offensichtlichen Shoulder Surfing ("über die Schulter schauen"), gibt es auch sog. Seitenkanalangriffe in blickgeschützten Bereichen.

Das ursprünglich für ältere Röhrenmonitore entwickelte Van-Eck-Phreaking, bei dem die elektromagnetische Strahlung über größere Distanzen aufgezeichnet wird, lässt sich offenbar auch für moderne LCD-Monitore mit HDMI-Kabel ausnutzen. Aus der empfangenen elektromagnetischen Strahlung wird dann das ursprüngliche Monitorbild rekonstruiert. Die dazu notwendige Elektronik ist mittlerweile schon für ambitionierte Hobby-Bastler erschwinglich.

Einige Quellen im Internet weisen ebenso auf relativ hohe elektromagetische Strahlungen und akustische Signale von aktuellen PC-Grafikkarten und Flachbildschirmen/Touchscreens in Kombination mit Monitor- und Stromkabeln hin, die im Prinzip wie eine Antenne funktionieren.

Um Sicherheitsproblemen in diesem Bereich von vornherein aus dem Weg zu gehen, kann man z.B. moderne Passwortmanager verwenden, die Passwörter automatisch generieren und dann über die Zwischenablage in die Anwendung kopieren, ohne das Passwort selbst im Klartext eintippen oder auf dem Bildschirm anzeigen zu müssen.

Share

Sending mail on the Linux command line (Ubuntu 18.04)

How to send end-to-end encrypted emails on the Linux command line.

If you want to add attachments, use mutt or mail from GNU Mailutils as the mail client. The following examples use mailx and ssmtp.

Unencrypted mail

Install package "bsd-mailx":

$ sudo apt-get install bsd-mailx

Edit /etc/mail.rc and add the following lines:

set smtp=smtp://mail.example.com
alias root postmaster@example.com

Run mailx:

$ mailx root
Subject: test 
This is a test. 
. 
Cc: 

Notes:

  • Mail gets sent to postmaster@example.com (see mail.rc).
  • Mail server is mail.example.com (see mail.rc).
  • Email message body is terminated by a single "." as the last line.

Encrypted mail (Inline PGP)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

Check that you have GnuPG version 2 installed, and If you haven't done so before, create private and public GnuPG key.

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
...
$ gpg --gen-key
...

Import public PGP key from recipient.

$ gpg --import alice.pub

First sign message (clearsign - ascii signature will be appended to text), then encrypt message, then mail message.

$ echo "Hello Alice, if you can read this your PGP mail client is working." | \
    gpg --clearsign | \
    gpg -a -r alice@example.com --encrypt | \
    mailx alice@example.com -s "PGP encrypted mail test"

Notes:

  • First sign the message. "gpg --clearsign" uses the default private key to sign message. Check with "gpg -K". Otherwise use option "--default-key bob@example.com" to choose a specific private key.
  • Then encrypt the message. Check with "gpg -k" that recipient is properly added to your GPG keyring.
  • Finally send mail message. Email body is simply the signed and encrypted message text in ASCII format.
  • Email subject will not be encrypted.

Encrypted mail (S/MIME)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

You need your own public certificate / private key pair, and the public certificate from the recipient (all in PEM format).

You can get a S/MIME email certificate for free from COMODO. Or you run your own certificate authority. Either way, both your own certificate and your own key need to be in a single file in PEM format (in the following example it is called "bob.pem").

-----BEGIN PRIVATE KEY-----
 ...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

The public certificate of the recipient must be in PEM format too (in the following example it is called "alice.pem"). You can extract it from an email signature if the recipient already sent you a signed email.

-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

Install the package "ssmtp".

$ sudo apt-get install ssmtp

Again (as in the above example for PGP encrypted mail), all commands for signing, encrypting and sending the message can be chained together to a single command line.

$ echo "Hello Alice, if you can read this your S/MIME mail client is working." | \
    openssl smime -sign -signer bob.pem -text | \
    openssl smime -encrypt -from bob.example.com -to alice@example.com -subject "S/MIME encrypted mail test" -aes-256-cbc alice.pem | \
    ssmtp -t

Notes:

  • Email body is simply the signed and encrypted message text in ASCII format. OpenSSL adds all required headers to it (sender, recipient, subject).
  • If you are using a S/MIME certificate from a public CA (like COMODO) to sign your message, it is easier for the recipient to validate your signature, compared to PGP encrypted emails.
  • You still need the public certificate of the recipient, and make somehow sure that it is authentic.
  • Again, the email subject will not be encrypted.
Share

Check for new versions of Firefox, Thunderbird

#!/bin/bash 
 
function checkVersion() { 
        V1=$(echo $1 | tr -d [:alpha:])
        V2=$(echo $2 | tr -d [:alpha:])
        MAJ1=$(echo $V1 | cut -d. -f1) 
        MIN1=$(echo $V1 | cut -d. -f2) 
        REV1=$(echo $V1 | cut -d. -f3) 
 
        MAJ2=$(echo $V2 | cut -d. -f1) 
        MIN2=$(echo $V2 | cut -d. -f2) 
        REV2=$(echo $V2 | cut -d. -f3) 
 
        if [[ $MAJ1 -lt $MAJ2 ]] ; then 
                return 1; 
        fi 
 
        if [[ $MAJ1 -eq $MAJ2 ]] ; then 
                if [[ -n "$MIN2" ]] ; then 
                        if [[ -n "$MIN1" ]] ; then 
                                if [[ $MIN1 -lt $MIN2 ]] ; then 
                                        return 1; 
                                fi 
 
                                if [[ $MIN1 -eq $MIN2 ]] ; then 
                                        if [[ -n "$REV2" ]] ; then 
                                                if [[ -n "$REV1" ]] ; then 
                                                        if [[ $REV1 -lt $REV2 ]] ; then 
                                                                return 1; 
                                                        fi 
                                                else 
                                                        return 1; 
                                                fi 
                                        fi 
                                fi 
                        else 
                                return 1; 
                        fi 
                fi 
        fi 
 
        return 0; 
} 
 
# Check Thunderbird 
TB=$(curl -s https://ftp.mozilla.org/pub/thunderbird/releases/ | sed -n "s/^\s\+<td><a href=\".*\">\(.*\)\/<\/a><\/td>$/\1/gp" | sort -g | egrep -iv "b|esr" | tail -n 1 ) 
TBL=$(thunderbird -v | sed -n "s/^\s*Thunderbird\s*\(.*\)$/\1/gp") 
 
checkVersion $TBL $TB 
if [[ $? -eq 1 ]] ; then 
        echo "Update Thunderbird ($TBL -> $TB)" 
fi 
 
# Check Firefox 
TB=$(curl -s https://ftp.mozilla.org/pub/firefox/releases/ | sed -n "s/^\s\+<td><a href=\".*\">\(.*\)\/<\/a><\/td>$/\1/gp" | sort -g | egrep -iv "b|esr" | tail -n 1 ) 
TBL=$(firefox -v | sed -n "s/^.*Firefox\s*\(.*\)$/\1/gp") 
 
checkVersion $TBL $TB 
if [[ $? -eq 1 ]] ; then 
        echo "Update Firefox ($TBL -> $TB)" 
fi

Settings in about:config for built-in update check:

  • app.update.interval
  • app.update.url
Share

That was 2017

Ubuntu 16.04 LTS Security Notices

Overall USNs: 348

Highest CVE priority fixed by USN:

  • High: 61
  • Medium: 277
  • Low: 5

Bugfixes in Red Hat Enterprise Linux 7

https://www.redhat.com/security/data/metrics/

Critical: 45 vulnerabilities
** Average time for fixing: 2 days
** 15% were 0day
** 37% were within 1 day
** 100% were within 7 days
** 100% were within 14 days
** 100% were within 31 days
** 100% were within 90 days

Important: 137 vulnerabilities
**Average time for fixing: 39 days
** 22% were 0day
** 29% were within 1 day
** 63% were within 7 days
** 65% were within 14 days
** 69% were within 31 days
** 87% were within 90 days

Moderate: 308 vulnerabilities
**Average time for fixing: 165 days
** 3% were 0day
** 8% were within 1 day
** 20% were within 7 days
** 21% were within 14 days
** 25% were within 31 days
** 43% were within 90 days

Low: 103 vulnerabilities
**Average time for fixing: 264 days
** 0% were 0day
** 2% were within 1 day
** 7% were within 7 days
** 7% were within 14 days
** 7% were within 31 days
** 19% were within 90 days

Share

Top 20 reasons for choosing weak passwords

  1. You just don't care because the account does not contain sensitive data and you are not using your real name anyway.
  2. Typing in strong passwords with a combination of special characters and regular characters takes ages on smart phones and tablets.
  3. Computers can't be trusted anyway, so why bother with a complicated password?
  4. Nobody is interested in you anyway.
  5. Password is for a shared account. Explaining to someone the password "%&__!(E2-<"+?=-:*d3//#@" over the phone is just too nerve wrecking.
  6. You want to have access to the account in case of an emergency, and you are afraid to forget the password if it is too complicated.
  7. "12345" can not be so bad if everyone else is using it as a password.
  8. After using strong passwords for years, your wifi was hacked by a 13 year old neighbor kid who got bored playing World of Warcraft on a Saturday evening.
  9. When creating an account you first choose a password easy to remember, only to change it later to a much more secure password. Never happens.
  10. The real password is your username.
  11. You are a math genius: If "12345" is so highly likely to be guessed, why do these numbers never get picked by the national lottery?
  12. Two words: Quantum computers
  13. Passwords are for pussies: Secret information is hidden in porn movies using steganography.
  14. You are a celebrity who wants to get into the headlines.
  15. You want to become a celebrity and therefore use every way to get into the headlines.
  16. Wife wants to set a trap for her husband to see if he is spying on her. Chooses a weak password and checks login times regularly.
  17. What was the question? Passwords? ... yeah ... do you know where my skateboard is?
  18. You know that "12345" is not secure, but at least it's more secure than "1234".
  19. The account is only a temporary account. You use it once and then forget about it.
  20. The account was automatically created by a script.
Share

Restart graphical user interface in Linux

To help you better understand how to restart the GUI in Linux, here are some background information about how the GUI works in Linux:

If you are familiar with Windows, you know that the graphical Windows interface is tightly integrated into Windows. If you start a Windows computer, you automatically start the graphical user interface (GUI). First the Windows logo is twirling around, and then you are presented with the login screen. Only recent server versions of Windows have the option to be installed without graphical user interface. It is called "Server Core", and even in this mode Windows displays a very basic graphical surface that has only a terminal window. This desktopless installation option was a big deal for Windows, as the GUI is so tightly integrated into the operating system. Also there was no adequate command line interface to control and configure all Windows functions. Therefore Microsoft put great effort into making the PowerShell just as "powerful" as the graphical Windows interface.

Linux follows a completely different approach. By default if you start Linux, only the basic command line interface is started. You are presented with a text login screen, and after you login you see the command prompt of your shell in text mode.

The GUI in Linux is built on top of this minimal system. It is made up of a couple of processes that are launched by the root user and the user that is currently logged in. The starting point for the GUI is a program called the "display manager". The display manager starts the display server and presents you with a graphical login screen. After successful login it starts your desktop environment and your programs like web browser or email client.

So here is the chain of events that start your Linux desktop:

 NameDescriptionExamples
1display managerStarts x-server and displays graphical login screen. After successful login, the desktop environment will be startedGDM, LightDM, KDM, SDDM, etc.
2desktop environmentStarts its window manager and runs user programs.Gnome, Unity, KDE, etc.
3window managerDetermines the look-and-feel of your GUI and is responsible for any 2D / 3D effects.Mutter, Compiz, KWin, etc.

The display server is the actual component that is responsible for drawing pixels on the screen and communicates with graphics card, mouse and keyboard under a graphical environment. Therefore it needs to be present both before and after graphical login. Notice that this is not the case for the desktop environment nor the window manager. They are only started after successful login. As of today the by far most popular display server is the x-server (also known as X11 or x.org server), although it will probably be replaced soon by other display servers like Wayland or Mir. When it comes to 2D- and 3D effects, this is performed by the window manager.

While there is a tight integration of desktop environment and window manager, you can use any display manager to start your favorite desktop environment. Usually there is an option on the login screen to tell the display manager which desktop environment to start after successful login. That might be useful if you accidentally installed and activated another login manager. Let's say you are running Gnome with the GDM display manager. After installing a KDE program, the dependencies of the program package pulled in the whole QT libraries along with the KDM display manager. The next time you login you are presented with the KDM display manager. This is actually no big deal. Just select the GNOME desktop environment from the options menu of KDM. After typing in username and password GNOME will be started.

Here is a list of desktop environments with their default display manager:

Desktop EnvironmentDefault Display Manager
UnityLightDM
GNOMEGDM
KDEKDM (obsolete) / SDDM

How does Linux know which display manager to start if there are more than one installed?
The file /etc/X11/default-display-manager contains the full path of the default display manager to start.

Back to the original question: How do you restart the graphical user interface of Linux without rebooting the whole computer? The answer is easy: Just restart the display manager.

As we have seen earlier, the display manager is actually the starting point for the whole GUI. By shutting down the display manager, all graphical processes will be stopped too. Here is an example how to stop SDDM (run as root):

$ sudo killall sddm

SDDM will be restarted automatically. With other display managers you may have to start them manually as root.

There is also a way to bypass the display manager. If you are already logged in as a regular user in text mode, you can also start the desktop environment manually. E.g. for KDE you would type in:

$ /usr/bin/startkde

Always make sure to start the desktop environment as a non-privileged user, not as root. Otherwise all programs will be running with root privileges, which is something you should avoid at all costs. If you want to start individual programs with root privileges (e.g. WireShark), there are tools like "kdesudo" that launch a program under the root user.

Important things to note:

  • Unlike Windows there is a strict separation of the graphical user interface and the basic system in Linux.
  • The display manager is started by the root user. It is the entry point for the graphical user interface.
  • The desktop environment is run by a non-privileged user, typically the user that logs into the display manager.
  • In general you can use any display manager to start any desktop environment. You can use GDM to start KDE, or SDDM to start GNOME.
  • To restart the graphical user interface, you need to restart the display manager.
Share

How to download Twitter videos (animated GIFs)

There are 2 types of Twitter videos: animated GIFs and real videos. This post is about animated GIFs. They have the text "GIF" printed on them when they are not playing.

To download animated GIFs there doesn't seem to be an easy way in Google Chrome unless you use an extension.

In Firefox:

  • open the tweet
  • right click on the video
  • choose "This Frame" -> "Page Info"
  • Under "Media" choose the mp4-file and click "Save As..."

 

Share