Thoughts on Mailpile

I was quite excited when Mailpile was released as a beta, and it made it onto my list of 'must have a play with'. Life being life though, I didn't get chance to give it a proper go until recently.

Sadly, it was somewhat anti-climactic and I've been left feeling more than a little underwhelmed. Mailpile shows a lot of potential, but it's definitely not ready for production yet. 

I ran my testing on a CentOS 6 VM, and in this post will summarise the good and the bad.

  

Read more…

Installing Mailpile on CentOS 6

I've been meaning to play around with Mailpile since the beta was released back in September. Thanks to a bout of insomnia I finally found time, though it turns out that getting it up and running on CentOS 6 is initially something of a pain.

This documentation details the steps required to install and run Mailpile on CentOS 6

DISCLAIMER: For reasons I'll discuss in a separate post, at time of writing I'd only recommend following these steps if you want to test/play with Mailpile - Personally I don't feel at all comfortable with the idea of using Mailpile in production in it's current state.

 

 

Read more…

Shop section closing 31 December 2014

The shop section of my site will be closing for business on 31 December 2014 and I'll be withdrawing all digital downloads from sale.

It's not something I actually wanted to have to do, but as the changes to the EU VAT rules come into effect on the 1 January 2015 (HMRC at least are calling it VAT MOSS), the additional overhead involved in compliance means that running the shop will likely no longer be financially feasible.

The closure will include everything in my (somewhat small) shop, so

  • Joomla Extensions
  • Ebooks
  • Credlocker Extensions
  • Photos

  

Read more…

Virtualisation: Google Play Music Manager cannot identify your computer

Although there seem to be an increasing number of things which irritate me about Google's Play Music, there's no denying that it's an incredibly convenient way to listen to music when not at home. Whether using the Android App, or playing in a browser, it makes your library available wherever you are.

It's a pity then, that Google have decided to make it such a royal PITA to upload music (I'm also not too happy about the requirement to have card details on file, even if you plan on using the free version - you should only ever need to provide card details when the plan is to actually use them, it reduces the likelihood of them being compromised).

As Google's Play Music Manager now won't run on my desktop (something I need more introduces a conflicting dependency , I figured I'd run Music Manager in a virtual machine and just point it at the right NFS share.

Turns out it wasn't quite so simple, as Music Manager returns the error 'Login failed. Could not identify your computer'.

After some digging, it's incredibly easy to resolve though.

 

 

Read more…

Hosting TOR Hidden Services (.onions)

The level of effort required to set up a TOR Hidden Service (known as a .onion) largely relates to the amount of paranoia you need to exercise regarding your anonymity.

Whilst the ins and outs of Operational Security (Op-Sec) are a little too intricate for a single post, this documentation will take you through the steps required to configure a Debian server to host a .onion site with reasonable protections in place.

 

Read more…

CentOS: Requiring a Yubikey OTP for SSH Password logins

This documentation was written in 2014. A more up to date version can be found in CentOS 8: Requiring a Yubikey OTP Press for SSH logins

 

The increasing ubiquity of the Yubikey makes it an ideal candidate for a Two-Factor Authentication mechanism, and configuring a CentOS based server to require a push of a Yubikey is particularly easy.

By the end of this documentation, we'll have configured a CentOS server to require that a user provide the following in order to login via SSH, unless they already have a valid RSA key pair configured on the server

  • Username (obviously)
  • Account password
  • Valid Yubikey OTP

For the sake of this documentation, we'll assume that you're using Yubico's validation servers (Yubicloud) rather than running your own (though if you are doing the latter, there's only one change in the configuration).

 

 

Read more…

Sending commit notifications using Git post-receive hooks

I make heavy use of Git, and have plugins that allow me to view my commits when viewing issues in JIRA. Unfortunately these plugins rely on Lucene indexes which has proven to be a bit of an issue when archiving projects (or maintaining a HTML fallback).

There are various post-receive hooks out there for sending mail notifications out whenever someone runs 'git push', however they're generally tailored towards notifying a group of developers.

I simply wanted the equivalent of 'git log' to appear within my JIRA activity flow on any issue which is mentioned in the commit message.

This documentation provides a python based post-receive hook intended to do just that, and also documents exactly how to go about applying that hook to all existing and future repos on your server.

 

Read more…

Understanding the Difficulty of Assessing True Randomness

I've had to explain, more than a few times, quite why it's so hard to assess whether a Random Number Generator (RNG) is compromised unless you have access to how the specific implementation works. Just because the data appears to be random, does not necessarily mean that it is actually unpredictable.

In this short piece of documentation, I'll be attempting to demonstrate exactly how a compromised RNG can appear to be generating random data, based on the tests that are available to us.

 

To best demonstrate this, it seems best to work backwards (start with the test and then show how the 'random' data isn't as compromised as first thought). If you want to follow along, you can grab the dataset here. It's a pretty small sample but should be sufficient to demonstrate the issue

Let's start by testing our dataset 

cat randomdata.txt | rngtest

Which should give us

rngtest 2-unofficial-mt.14
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: entropy source exhausted!
rngtest: bits received from input: 2311168
rngtest: FIPS 140-2 successes: 115
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=19.364; avg=263.319; max=1467.191)Mibits/s
rngtest: FIPS tests speed: (min=4.659; avg=6.107; max=6.239)Mibits/s
rngtest: Program run time: 377113 microseconds

A bigger dataset generated in the same manner, yields a few failures, but nowhere near enough to be of any concern

Let's ask ent what it thinks

ent randomdata.txt

Which gives us

Entropy = 7.999943 bits per byte.
Optimum compression would reduce the size of this 3388896 byte file by 0 percent.

Chi square distribution for 3388896 samples is 268.84, and randomly
would exceed this value 50.00 percent of the times.

Arithmetic mean value of data bytes is 127.5107 (127.5 = random).
Monte Carlo value for Pi is 3.140371378 (error 0.04 percent).
Serial correlation coefficient is 0.000636 (totally uncorrelated = 0.0).

We've got almost 8 bits of entropy per byte, so ent believes the data is essentially random

Perfect, so surely it should be safe to generate Crypto keys with? Wrong... The data is absolutely and utterly predictable, as random as it might appear to be.

 

Read more…

Implementing Secure Password Storage with PHPCredlocker and a Raspberry Pi

Password storage can be a sensitive business, but no matter whether you're using PHPCredlocker or KeePassX, dedicated hardware is best. The more isolated your password storage solution, the less likely it is that unauthorised access can be obtained.

Of course, dedicated hardware can quickly become expensive. Whilst it might be ideal in terms of security, who can afford to Colo a server just to store their passwords? A VPS is a trade-off - anyone with access to the hypervisor could potentially grab your encryption keys from memory (or the back-end storage).

To try and reduce the cost, whilst maintaining the security ideal of having dedicated hardware, I set out to get PHPCredlocker running on a Raspberry Pi.

This documentation details how to build the system, a Raspberry Pi Model B+ was used, but the B should be fine too

 

 

Read more…

Implementing Encrypted Incremental Backups with S3cmd

I've previously detailed howto use S3cmd to backup your data from a Linux machine. Unfortunately, because of the way that s3cmd works, if you want an incremental backup (i.e. using 'sync') you cannot use the built in encryption.

In this documentation I'll be detailing a simple way to implement an encrypted incremental backup using s3cmd, as well as a workaround if you're unable to install GPG - instead using OpenSSL to encrypt the data. Obviously we'll also be exploring how to decrypt the data when the backups are required

It's assumed that you've already got s3cmd installed and configured to access your S3 account (see my earlier documentation if not

 

 

Read more…