Category Archives: Beginner

Let's Encrypt Certificate for SMTP with STARTTLS

Let's Encrypt provides an easy way to get free certificates not only for web servers, but also for email servers like Postfix.

The way Let's Encrypt usually works requires you to setup a web server. Let's Encrypt sends you a challenge, and you have to prove ownership of the domain by providing a response to that challenge. You do this by placing the response in a certain URL on your web server:
http://www.yourserver.com/.well-known/acme-challenge/FgedPYS65N3HfwmM7IWY2...

That way you prove that you are the owner of the domain "yourserver.com". But there is another even easier way to prove ownership of a domain: DNS. You place the response in a specific TXT record of your domain: _acme-challenge.www.yourserver.com

  • You can use your domain hosting service (GoDaddy, Whois, etc.) to create a new TXT record.
  • The "certbot" command line client does all the rest in just one call.
  • Under Debian 9 and 10, "certbot" is part of the official package repository.
  • You can run certbot on any Linux client. You don't have to run it on the email server.

Example

In this example the public hostname of your mail server is mx.yourserver.com. Therefore you have to create a TXT record called _acme-challenge.mx.yourserver.com . The value of the TXT record is in the output of certbot.

# certbot certonly --manual --preferred-challenges dns -d mx.yourserver.com
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Plugins selected: Authenticator manual, Installer None 
Obtaining a new certificate 
Performing the following challenges: 
dns-01 challenge for mx.yourserver.com 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
NOTE: The IP of this machine will be publicly logged as having requested this 
certificate. If you're running certbot in manual mode on a machine that is not 
your server, please ensure you're okay with that. 
 
Are you OK with your IP being logged? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: Y 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name 
_acme-challenge.mx.yourserver.com with the following value: 
 
1A4RACHEISTBLUTWURST_egTVadkeiieikeieisfkfk
 
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue 
Waiting for verification... 
Cleaning up challenges 
 
IMPORTANT NOTES: 
 - Congratulations! Your certificate and chain have been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/fullchain.pem 
   Your key file has been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/privkey.pem 
   Your cert will expire on 2020-02-15. To obtain a new or tweaked 
   version of this certificate in the future, simply run certbot 
   again. To non-interactively renew *all* of your certificates, run 
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by: 
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
   Donating to EFF:                    https://eff.org/donate-le
Share

Christmas Time is Shopping Time ... Sort of

Christmas is coming early this year, so I wanted to browse the Internet to see what kind of extra effort our local retail industry is expending. Out of curiosity I chose the largest, most famous shopping street in the Capital of Germany: Berlin's Kurfürstendamm. And located in that street, there is Berlin's most famous shopping mall: Europa-Center - the name says it all.

My expectation: Pretty Javascript snowflakes slowly falling down on heaps of shopping bargains, indoor maps, rotating 3D product pictures ... you know the usual Christmas websites.

Reality: A phpMyAdmin login page with an invalid TLS certificate.

Words can barely describe my level of incomprehension how this can possibly happen. Either the retail industry has already given up the fight against Chinese Ebay sellers, or they just don't believe in online marketing. Either way, I will spend my holiday shopping season online.

P.S.: What is so hard about indoor floor plans? Interactive HTML5 3D animations would be nice though.

P.P.S: Please ignore the red DNSSEC sign, it is supposed to ... ah, just forget about it.

Share

C++ - The Beast is Back (Halloween Special)

C++ The Beast is Back

Do you remember the time when programming languages like Visual Basic and Java came out and flourished, because they let programmers forget about all the underlying technical details of computers, so they could focus more on things like algorithms and use cases?

"I don't wanna waste my time with solving memory management problems or all those other low level stuff. These days are finally over!" Many programmers hated C++ because they were annoyed by memory leaks, pointers, byte sizes of variable types and data structures, compiler errors, linker warnings, ... the list goes on and on.

And managers? They loved Java and Visual Basic. Less tech talk about problems nobody really understands anyway, faster time to market, happy customers, what else could you want?

It seemed like the days of C and C++ were counted. Maybe they could still be used for some low level system programming, but certainly not application programming. Instead let's move on and jump on the ponderous but convenient bytecode train. Just add some more RAM modules to the server, and triple the disk space of those cloud containers, then we're done. What a beautiful simple world it is now, the world of software programming. Right? Right?? Right???

The Return of the Beast

Well ... not so fast (pun intended). New emerging technologies like Big Data, Blockchain and AI become part of everyday application development. And what about IoT (edge cloud)? Small IoT devices don't have Terabytes of RAM and server scale CPU processors. All of these rapidly growing technologies require lean and fast code modules tailored to their specific requirements.

I recently came across a free eBook from O'Reilly: C++ Today - The Beast is Back. It is from 2015, but large parts are still valid today. I highly recommend reading it. Once you have finished, here is my very own top 5 list of reasons why "the beast is back":

  1. Coding discipline
    Source code formatting, code commenting, coding guidelines, best practices: Python brought discipline back into aspiring programmers. Coders are now less annoyed by investing time in high quality source code, because they realize it will in turn create higher quality software that is easier to maintain and safes time and money in the end. C++ development also requires a lot of discipline and attention to details, but you are rewarded with a minimum disk and memory footprint and unparalleled performance.
  2. Focus on technology
    Tech is back: Logging in with SSH to a remote git server? Using vim to fix a typo in some Python source files? No problem. Today there are more tutorials out there about vim and the Linux command line than ever before. Students again want to get in touch with the underlying technology and learn how stuff works under the hood. Knowing the memory footprint of a running program is not considered evil sorcery any more.
  3. New standards
    C++ has come a long way since the last decade:
    C++11, C++14, C++17, C++20
    New programming ideas and standards are coming up every year, and C++ is adapting fast.
  4. New technologies
    Blockchain, IoT, Big Data, Machine Learning and AI: Exciting new technologies are all about performance, data crunching, sheer numbers. You need a lean and fast beast like C++ to tame them. For example the core of TensorFlow, today's most popular machine learning framework, is written in C++.
  5. Low competition
    In July 2019 Microsoft announced they are thinking about moving from C++ to Rust for developing internal and external software. My question: What do you do with the rest of the weekend? Seriously: It might sound like a great idea to get rid of stack overflow problems and the like, but porting tons of code from C++ to Rust will probably take decades. Furthermore, Rust is not nearly as developed and stable as C++. There sure are still heaps of banana skins hidden beneath the shiny new surface of Rust.

Share

How to reduce digital carbon footprint

Just read an online article about how to reduce your digital carbon footprint. They came up with solutions like "switch off your smartphone once in a while".

WHAT???

Completely ridiculous, so here are my personal recommendations how to significantly reduce global digital carbon footprint.

  1. Do not play video games.
  2. Do not mine bitcoins.
  3. Use a laptop instead of a PC.
  4. Use a Raspberry Pi instead of a laptop.
  5. Use a tablet or smartphone instead of a Raspberry Pi.
  6. Centralize your data at cloud providers located in countries that use cheap and low-carbon nuclear energy.
  7. Avoid cloud services in countries with lots of coal-fired power plants.

For the record:
#1 
With "video games" I mean fully blown graphic rich applications that run locally on your PC and require special video equipment like high performance graphics cards and low response time monitors. Games like Tetris that don't require any special hardware do not fall into this category. The growing market of mobile games also does not qualify for saving a considerable amount of energy.
#6  There is a lot of controversial information out there about the overall costs of nuclear power plants. While some say the price for building a new nuclear power plant is much higher than one for renewable energies, others claim that the ongoing costs to maintain a nuclear power plant are much cheaper and therefore in the end saves money. Fact is, lots of countries continue to build new nuclear power plants because they do not want to switch to renewable eco-friendly sources. 1 2 3 4

The video game industry has surpassed the combined movie and music industry a long time ago. There are an estimated 2.3 billion gamers in the world.

Worldwide there are 1.35 million people dying in traffic accidents every year 1. Nevertheless nobody would come to the conclusion to eliminate cars. Instead the car industry tries to find new ways to make cars safer, more energy efficient and Eco friendly. The same should be true for nuclear power plants. For example today's modern nuclear reactors are capable of transforming nuclear waste itself into energy.

One-word-answer Q&A about coal-fired power plants

Question Answer

Since when do we know that coal-fired power plants are the number one reason for climate change? (Yes, it's coal-fired power plants, not cars!)

 Decades.

Why didn't we make coal exit plans earlier?

  Jobs.

Why don't renewable energy sources provide enough clean energy in the future?

 Efficiency.

Share

Top 5 reasons in favor or against a programming language

Computer Binary Code

Top 5 reasons why JavaScript is so popular

  1. People have learned JavaScript at school or for their first private website, and want to continue using that skill for everything else to come.
  2. See #1
  3. See #1
  4. See #1
  5. See #1

Top 5 reasons why people hate C++

  1. They don't know C++.
  2. They are afraid of pointers.
  3. They are afraid of pointers.
  4. They are afraid of pointers.
  5. They are ▓ of memory leaks.▓▓▓▓▓▓▓▓▓▓

Top 5 reasons why big projects slowly move away from Java

  1. JVM needs too much memory.
  2. See #1
  3. See #1
  4. See #1
  5. See #1
  6. See #1
  7. See #1
  8. See #1
  9. See #1
  10. Runtime.getRuntime().gc();

Top 5 reasons why Python is so insanely popular

  1. Everyone else is using it.
  2. Nobody cares about multithreading. ("Hey, today's computers are fast anyway, right?")
  3. Kids today don't remember source code structuring by indentation used in early programming languages like Cobol, Fortran or AS400, so they think it's the new cool thing to create easy to read, structured source code. Here we go again ... ("At least it is different from old school Java, so it must be a step forward, right?")
  4. import #1, #2, #3
  5. import #1, #2, #3

Top 5 reasons why PHP still is so popular

  1. sudo -u root "People are afraid that CGI might return."
  2. action="1.cgi"
  3. action="1.cgi"
  4. action="1.cgi"
  5. action="1.cgi"

Top 5 reasons why people use Go

  1. It was created by Google. Maybe when I apply for a job at Google, they check out my GitHub projects.
  2. I <3 Google
  3. I <3 Google
  4. I <3 Google
  5. git push

Top 5 reasons why people are embarrassed to mention Bash

  1. echo "Shell scripting is not real programming." | tee 2. 3. 4. 5.

Top 5 reasons why CSS is considered a programming language

  1. Who cares?

Top 5 reasons why people don't even look at Perl anymore

5. programming style: two words
4. See #3
3. See #2
2. See #1
1. See #5

Share

Slow wifi network on Linux laptop

wifi on Linux laptop

If network performance on your laptop is slow and unstable, it might be because power management of your wifi adapter and of Linux are not playing together.

One of the things you will notice are flapping ping rates:

$ ping 192.168.0.1 
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=23.3 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=44.7 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=1161 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=35.2 ms
...
^C
--- 192.168.0.1 ping statistics ---
30 packets transmitted, 20 received, 33% packet loss, time 30000.14s
rtt min/avg/max/mdev = 23.3/537.9/2119.2/2005.3 ms

As you can see the 3rd ping has a high round trip time of over one second. You might also notice high packet loss rates.

If this is the case and your hardware seems to be ok, you can try to switch off Network Manager's automatic power management in /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf:

[connection] 
wifi.powersave = 2

Restart NetworkManager (sudo systemctl restart NetworkManager) or reboot your Laptop.

If you are not using NetworkManager, you can try to switch off power management directly:

sudo iwconfig wlp2s0 txpower fixed

Afterwards check that power management is really disabled:

sudo iwconfig wlp2s0
...
Power Management:off
...
Share

Security Alert: Migrate to Post-Quantum Cryptography Right Now!

Current cryptographic algorithms will be broken within the next couple of years. The time to migrate to post-quantum cryptography is right now. Ah yes ... and while you're at it, don't forget about crypto currency.

https://www.zdnet.com/article/ibm-warns-of-instant-breaking-of-encryption-by-quantum-computers-move-your-data-today/

Migration steps towards post-quantum cryptography:

  1. Identify possible technologies
  2. Choose algorithms for standardization
  3. Standardization (RFCs)
  4. Implementation
  5. Integration into operating systems

Right now, we are at step 1 and 2.

Update (20.04.2018)
OpenSSH 8.0 supports quantum-computing resistent key exchange method - still experimental though.
https://www.openssh.com/txt/release-8.0

Share

Android smartphone "Cubot Echo"

Smartphone

Cubot is a Chinese Android smartphone brand that offers a wide variety of inexpensive phone models. With the Cubot Echo (released in 2016) you get surprisingly good quality at a low price.

https://www.cubot.net/smartphones/echo/spec.html

One of the main advantages of Cubot smartphones is their native Android version. Many smartphone manufacturers heavily modify Android and add tons of "features" and apps that you don't really need and are more annoying than helpful. They hope to create a unique customer experience that makes users get accustomed to their brand so they choose the same brand again for their next phone. Moreover these modifications often slow down overall performance and introduce security holes.

Cubot ships all their models with an almost native Android version. No modifications (except necessary adaptions to hardware), no annoying apps or background tasks that cannot be removed, etc.

Pros
+ Very good overall hardware quality compared to cheap price (unbreakable display, strong body for outdoor use)
+ Good display, camera quality and performance compared to cheap price
+ Large 5.0 inch display
+ HDR photography
+ Up to 128 GB micro sdcard (supported, but not included)
+ Plain Android user experience, no annoying modifications or add-ons
+ Removable battery
+ Cheap price

Cons
- Android security patch level only from 05.06.2017, but latest firmware update (which will be installed automatically after setup) DOES include security patch for WiFi WPA2 KRACK attack (build 08.02.2018). Android 6 Marshmallow does no longer receive security updates from Google, but you can install the unofficial Android alternative LineageOS based on Android 7 Nougat.
- No 4G / LTE support
- A bit heavy
- Released in 2016, a little bit outdated

Verdict
You can get this Android smartphone for as cheap as 60 EUR. If you can live with the security issues and the missing LTE support, that's a definitive buy. Especially considering that the upcoming Google Pixel 3 flagship for 850 EUR guarantees Android security updates for only 3 years. You could buy 14 Cubot Echos for that price. And the Google Pixel 3 does not have a removable battery, which makes it very hard to replace.

Cubot comparison chart

Cubot EchoCubot J5
Android VersionAndroid 6 Marshmallow
(no longer supported)
Unofficial support for LineageOS
based on Android 7 Nougat
Android 9
ProcessorMT6580 1.3 GHz Quad-coreMT6580 1.3 GHz Quad-core
Display5" IPS
(1300:1 contrast)
5.5" IPS
(18:9 format, 1300:1 contrast)
Brightness (cd/㎡)450450
Memory (RAM / ROM)2 GB / 16 GB2 GB / 16 GB
Max. Additional Storageup to 128 GB (not included)up to 128 GB (not included)
Camera (Back / Front)13 MP / 5 MP8 MP / 5 MP (interpolated)
LTEnono
Extras - Micro + standard dual SIM (no eSIM)
- A-GPS
- USB OTG
- Special sound chip with big speaker
- Unbreakable case
- Dual nano SIM (no eSIM)
- A-GPS
- Curved display sides
- Gradient color case
Battery3000 mAh (removable)2800 mAh (removable)
Price~ 60 €~ 65 €
Cubot NovaCubot Magic
Android VersionAndroid 8.1 OreoAndroid 7 Nougat
ProcessorMT6739 1.5 GHz Quad-coreMT6737 1.3 GHz Quad-core
Display5.5" HD+
(18:9 format, 1300:1 contrast)
5" IPS
(1300:1 contrast)
Brightness (cd/㎡)450450
Memory (RAM / ROM)3 GB / 16 GB3 GB / 16 GB
Max. Additional Storageup to 128 GB (not included)up to 128 GB (not included)
Camera (Back / Front)13 MP / 8 MP13 MP / 5 MP
(13 MP +2 MP Dual Back Camera)
LTEyesyes
Extras - Dual 4G nano SIM (no eSIM)
- A-GPS
- Fingerprint sensor
- Dual micro SIM and dual standby (no eSIM)
- A-GPS
- Curved display sides
Battery2800 mAh (removable)2600 mAh (removable)
Price~ 70 €~ 70 €

Share

Security Guidelines

Computer Security

Physical Device Security

  • Always completely switch off your computer and lock your computer safely away, even if you just visit the bathroom. Screen saver locking or putting the laptop into sleep mode is not enough (Cold Boot Attacks).
    https://blog.f-secure.com/cold-boot-attacks
  • Don't display anything important on your computer screen (Van-Eck-Phreaking).
    https://twitter.com/windyoona/status/1023503150618210304
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Don't type in anything important on your keyboard or touchscreen.
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Install USBGuard to protect against unknown USB devices.
    (Note that USB IDs and serial numbers of USB devices can easily be replicated. Once an attacker knows the type of USB device you are using, and its serial number, USBGuard can easily be bypassed. That means: Never lend someone your USB stick, never accept a USB device from untrustworthy persons ... which means anyone.)

Software Security

  • Always use fingerprints to identify certificates for important web services. Don't rely solely on CAs.
    https://www.theregister.co.uk/2018/09/06/certificate_authority_dns_validation/

Useful Links

  • Ubuntu Security
    https://www.ubuntu.com/security
  • Ubuntu Security Features Matrix
    https://wiki.ubuntu.com/Security/Features
  • End User Device Security Guidance for Ubuntu 18.04 LTS from the NCSC (National Cyber Security Center, part of GCHQ)
    https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
Share

Password security - it is not about length or complexity

Password

Passwörter sollten nach Möglichkeit nicht im Klartext am Bildschirm angezeigt werden. Neben dem offensichtlichen Shoulder Surfing ("über die Schulter schauen"), gibt es auch sog. Seitenkanalangriffe in blickgeschützten Bereichen.

Das ursprünglich für ältere Röhrenmonitore entwickelte Van-Eck-Phreaking, bei dem die elektromagnetische Strahlung über größere Distanzen aufgezeichnet wird, lässt sich offenbar auch für moderne LCD-Monitore mit HDMI-Kabel ausnutzen. Aus der empfangenen elektromagnetischen Strahlung wird dann das ursprüngliche Monitorbild rekonstruiert. Die dazu notwendige Elektronik ist mittlerweile schon für ambitionierte Hobby-Bastler erschwinglich.

Einige Quellen im Internet weisen ebenso auf relativ hohe elektromagetische Strahlungen und akustische Signale von aktuellen PC-Grafikkarten und Flachbildschirmen/Touchscreens in Kombination mit Monitor- und Stromkabeln hin, die im Prinzip wie eine Antenne funktionieren.

Um Sicherheitsproblemen in diesem Bereich von vornherein aus dem Weg zu gehen, kann man z.B. moderne Passwortmanager verwenden, die Passwörter automatisch generieren und dann über die Zwischenablage in die Anwendung kopieren, ohne das Passwort selbst im Klartext eintippen oder auf dem Bildschirm anzeigen zu müssen.

Share