March 2026
M	T	W	T	F	S	S
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Archive for 2019

Some links on keystore, encryption and decryption on Android

Posted by jpluimers on 2019/02/06

For my link archive:

[WayBack] android – Using AES with AndroidKeyStore – Stack Overflow
[WayBack] Android keystore system | Android Developers
[WayBack] java – AES-encrypted key store – Code Review Stack Exchange (especially the review comments)
[WayBack] Keystore redesign in Android M (which is version 6 with API level 23, and allowed storing symmetric keys in the keystore)
[WayBack] Encryptor and Decryptor for data encryption.decryption using the Android KeyStore. · GitHub, via:
- [WayBack] Using the Android Keystore system to store and retrieve sensitive information
- [WayBack] Generate symmetric key and store in android keystore – Stack Overflow
[WayBack] How to display Java keystore SecretKeyEntry from command line – Stack Overflow
[WayBack] KeyStore Explorer:
KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface.
[WayBack] android-ConfirmCredential/MainActivity.java at master · googlesamples/android-ConfirmCredential · GitHub
- [WayBack] GitHub – googlesamples/android-ConfirmCredential
[WayBack] Android Security: The Forgetful Keystore – SystemDotRun – Dorian Cussen’s Super Blog
[WayBack] encryption – When using AES and CBC, is it necessary to keep the IV secret? – Information Security Stack Exchange
[WayBack] Storing application secrets in Android’s credential storage
[WayBack] KeyStore.SecretKeyEntry | Android Developers
[WayBack] SecretKeySpec | Android Developers

Basically:

storing encrypted data plus IV in preferences is OK
store the symmetric encryption key (for instance an AES one) in the keystore for the application
likely a salt is also needed, then store the salt with the IV and encrypted data

–jeroen

Presumptions:

The keystore of a specific application UUID is only accessible by only that application UUID when the device has been unlocked by the user
The keystore saves credentials in a secure way
It is OK to save both the encrypted data and associated IV

Approach (plain data is “hashed application PIN”, encrypted data is “encrypted hashed application PIN”:

store a symmetric AES key in the application key store
after entering application PIN:
1. hash the application PIN
2. use the hashed application PIN to to enter the application
3. from the keystore, obtain the symmetric AES key
4. create a cipher based on the AES key
5. use the cipher to obtain an IV, and to encrypt the hashed application PIN
6. store the encrypted hashed application PIN and IV both in the application preferences
when needing to enter the application, present the user to either enter the application PIN again or proof that they can pass the device unlock sequence (using an unlock activity)
1. if the user provided the application PIN, then:
  1. hash the application PIN
  2. try to enter the application with the hashed application PIN
2. proved the device unlock, then:
  1. from the preferences, obtain the IV and encrypted hashed application PIN
  2. from the keystore, obtain the symmetric AES key
  3. create a cipher based on the AES key
  4. decrypt the encrypted hashed application PIN using the cipher and the IV into the hashed application PIN
  5. try to enter the application with the hashed application PIN

Posted in Android, Development, Mobile Development, Software Development | Leave a Comment »

The company as a social engine – The Isoblog.

Posted by jpluimers on 2019/02/06

Food for thought about work: [WayBack] The company as a social engine – The Isoblog.

–jeroen

via: [WayBack] The company as a social engine… – Kristian Köhntopp – Google+

Posted in LifeHacker | Leave a Comment »

Delphi Declarations and Statements: Hinting Directives

Posted by jpluimers on 2019/02/06

From [WayBack] Declarations and Statements: Hinting Directives you might remember this:

The ‘hint’ directives platform, deprecated, and library may be appended to any declaration. These directives will produce warnings at compile time. Hint directives can be applied to type declarations, variable declarations, class, interface and structure declarations, field declarations within classes or records, procedure, function and method declarations, and unit declarations.

However, it doesn’t as at least these fail:

type
{ [dcc32 Error] ClassConstUsageConsoleProject.dpr(14): E1030 Invalid compiler directive: 'DEPRECATED' }
  TMyProcedure = procedure() of object deprecated 'do not use TMyProcedure';
{ [dcc32 Error] E1030 Invalid compiler directive: 'DEPRECATED' }
  TMyReference = reference to procedure() deprecated 'do not use TMyReference';

These two helped me though:

This fails too:

type
{ [dcc32 Error] E2029 '=' expected but ';' found }
  TArrayChars = array of Char; deprecated;
{ [dcc32 Error] E2029 ';' expected but identifier 'deprecated' found }
  TArrayChars = array of Char deprecated;

But this is a workaround:

type
  TArrayCharsOld = array of Char;
  TArrayChars = TArrayCharsOld deprecated;

Which works for the procedure types as well:

type
  TMyProcedureOld = procedure() of object;
  TMyProcedure = TMyProcedureOld deprecated 'do not use TMyProcedure';
  TMyReferenceOld = reference to procedure();
  TMyReference = TMyReferenceOld deprecated 'do not use TMyReference';

Bug https://quality.embarcadero.com/browse/RSP-18316

–jeroen

Posted in Delphi, Development, Software Development | 1 Comment »

GitHub – GoogleChromeLabs/ndb: ndb is an improved debugging experience for Node.js, enabled by Chrome DevTools

Posted by jpluimers on 2019/02/05

This looks like ndp is a drop in wrapper for node allowing for in depth debugging: [WayBack] GitHub – GoogleChromeLabs/ndb: ndb is an improved debugging experience for Node.js, enabled by Chrome DevTools

Via: [WayBack] ndb: An Improved Debugging Experience for Node – Adrian Marius Popa – Google+

–jeroen

Posted in Development, JavaScript/ECMAScript, Node.js, Scripting, Software Development | Leave a Comment »

6502 emulation: the ICE, or in-circuit-emulator…

Posted by jpluimers on 2019/02/05

On my list of hardware things to try:

[WayBack] a different take on 6502 emulation: the ICE, or in-circuit-emulator… – mos6502 – Google+

Basically it consists of three parts:

A git hub repository with wiki
[WayBack] Home · hoglet67/AtomBusMon Wiki
AtomBusMon – This project is an open-source In-Circuit Emulator for the 6502, 65C02, Z80, 6809 and 6809E 8-bit processors.
An FGPA based ICE that fits in a 6502/Z80/6809 socket
[WayBack] GODIL40_XC3S250E DIL FPGA module (40 pin DIL) | Trenz Electronic Online Shop (EN)
by [WayBack] Oho-Elektronik.de with documentation at [WayBack] UM_GODIL.pdf.
A machine with a serial port to communicate with the ICE

–jeroen

Posted in 6502, Development, Hardware Development, History, Z80 | Leave a Comment »

keyman/DevDelphiStarterCompileWrapper.pas at master · keymanapp/keyman

Posted by jpluimers on 2019/02/05

Cool: bds.exe -ns -b projectname.dproj will build a project from the command-line.

Should work in Starter Edition (and the now defunct AppMethod).

[WayBack] keyman/DevDelphiStarterCompileWrapper.pas at master · keymanapp/keyman.

Via: [WayBack] Question: is there any chance Embarcadero would reconsider and stop blocking the use of the command line compilers for Starter Edition?I run an open s… – Marc Durdin – Google+

–jeroen

Posted in Delphi, Development, Software Development | Leave a Comment »

Some commands and links from “Praktijk | Windows PE”; Softlink 1807114 – c’t magazine

Posted by jpluimers on 2019/02/04

Downloads: [WayBack] Softlink 1807114 – c’t magazine

Commands (only execute them from within a Windows PE session!):

Sometimes the network does not start, so you can use the wpeutil command to start it: wpeutil initializenetwork; with wpeutil disablefirewall and wpeutil enablefirewall you can manage the firewall.Background information:
- [WayBack] Wpeutil Command-Line Options | Microsoft Docs
- [WayBack] Wpeinit and Startnet.cmd: Using WinPE Startup Scripts | Microsoft Docs
Like regular Windows, net use can map shares to drive letters over a wired network connection. There is a small thing with anonymous logon, see the below links for more, and you might need a network driver that is not automatically loaded, see the next section.
1. [WayBack] samba – Windows 10 PE Unable to map network drive anonymously – Server Fault
2. [WayBack] WinPE Network Drivers: Initializing and adding drivers | Microsoft Docs
Windows PE can load most drivers through the drvload command; ensure you have unpacked your drivers and the driver directory contains the appropriate .inf file, then run drvload E:\driver\drivername.inf where E:\driver is where your driver files are.Background information:
- [WayBack] Windows 10 Command Line Driver Install | Dell US
- [WayBack] Load only the WinPE network driver(s) you need using DRVLOAD – codeshop99
- [WayBack] How To Test Drivers Compatibility Within Winpe | Ivanti User Community which can result into two kinds of messages:
  - DrvLoad: Unable to load X:\InstalledDrivers\...\e1d6432.inf (Error 0x80070002)
  - DrvLoad: Successfully loaded C:\e1c6432.inf
- [WayBack] Drvload Command-Line Options | Microsoft Docs
The manage-bde -unlock command can unlock a Bitlocker volume. There are various parameters, but the most used combination is manage-bde -unlock C: -password where C: is the drive you want to unlock and -password (or -pw) causes it to prompt for a password.Background information:
- [WayBack] manage-bde unlock | Microsoft Docs
- [WayBack] manage-bde | Microsoft Docs
To get information which kind of boot was performed (BIOS or UEFI):

wpeutil updatebootinfo regedit

Then browse toHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control and check the value for PEFirmwareType: when 1, it is BIOS, when 2, it is UEFI.

or check out

[WayBack] Boot to UEFI Mode or Legacy BIOS mode | Microsoft Docs and run this small script:

wpeutil UpdateBootInfo for /f "tokens=2* delims= " %%A in ('reg query HKLM\System\CurrentControlSet\Control /v PEFirmwareType') DO SET Firmware=%%B :: Note: delims is a TAB followed by a space. if %Firmware%==0x1 echo The PC is booted in BIOS mode. if %Firmware%==0x2 echo The PC is booted in UEFI mode.

You can execute compact.exe with the /compactos parameter from both a regular Windows installation as well as from Windows PE. From Windows PE, you need to provide an extra parameter: the drive to check.

Regular Windows:

compact.exe /compactos queries if it is enabled
compact.exe /compactos:always enables compactOS

Windows PE:

Compact.exe /CompactOS:Query /WinDir:E:\Windows

Background information:

–jeroen

Posted in Power User, Windows | Leave a Comment »

If the downloading PDF reports (like bank statements) from the new ABN AMRO on-line banking environment fails: try the old environment

Posted by jpluimers on 2019/02/04

Great set of steps from ABN AMRO to get into the old on-line banking environment that usually works if the new one fails downloading PDF reports:

Note that outages like these are not reported at [Archive.is] Storingen – ABN AMRO – beschikbaarheid.

–jeroen

Read the rest of this entry »

Posted in LifeHacker, Power User | Leave a Comment »

RawGit is going away: redirect your content before October 2019 (it does disappear after that)

Posted by jpluimers on 2019/02/04

[WayBack] RawGit: RawGit served raw files directly from GitHub with proper Content-Type headers.

This means you have to redirect your existing RawGit links before October 2019, and you cannot add new links on RawGit.

You might want to try alternatives, for instance this one I mentioned in 2017: raw.githack.com – like rawgit.com but supports bitbucket as well and runs on plain nginx.

[WayBack] raw.githack.com:

raw.githack.com serves raw files directly from GitHub, Bitbucket or GitLab with proper Content-Type headers.

There are some other options that RawGit itself mentions:

What you should use instead

The following free services offer fantastic alternatives to some or all of RawGit’s functionality. You may like them even more than RawGit.

[Archive.is] jsDelivr

[WayBack] GitHub Pages

[Archive.is] CodeSandbox

[WayBack] unpkg

RawGit source is still at [WayBack] GitHub – rgrove/rawgit: Served files from raw.githubusercontent.com, but with the correct content types., so if you want to host your own alternative you can.

It means I need to change these pages:

–jeroen

Posted in Development, DVCS - Distributed Version Control, gist, GitHub, Power User, rawgit, Source Code Management | Leave a Comment »

‪Dear #lazyweb, can anyone point me to a modern email server setup (just emai…

Posted by jpluimers on 2019/02/01

Summary from [WayBack]‪ Dear #lazyweb, can anyone point me to a modern email server setup (just email) with letsencrypt, some spam filter, multi domain preferably on RHEL/Cent… – Jan Wildeboer – Google+

many SMTP servers on the interwebs do not have proper TLS setups, so do not require remote SMTP servers to deliver email with a proper certificate
delivering mail via SMTP using STARTTLS with a proper certificate yourself is a good step forward
postfix
dovecot
greylisting (although in practice it does not make much of a difference any more)
fail2ban
dnsbl (often called rbl)
spamassasin
rspamd (supports SPF, DKIM and many others)
- [WayBack] Rspamd spam filtering system
- [WayBack] GitHub – vstakhov/rspamd: Rapid spam filtering system.
letsencrypt automation can be tough, so here is a small wrapper: [WayBack] GitHub – DrGlitchMX/update-letsencrypt: Tiny script for updating “Let’s Encrypt!” certificates from cron
it helps having letsencrypt and the mail server to be on one machine:
- multidomain let’s encrypt cert that has my webserver name and the mailserver in the Subject Alternative Names field. As both are on the same machine certbot can automatically update it and I just point Postfix and Dovecot to the LE files.
Hans-Martin Mosner SMTP as-is is just not suitable for the kind of decentralized mail that you would prefer. You need some mechanism to determine which mail senders to trust and which not. Cryptography is suitable at the MUA level and should be used much more, but at the MTA level, TLS for privacy and SPF(bleh) or DKIM(meh) for sender domain authentication are basically your only weapons -much too weak. The PGP web of trust must be considered a failed experiment – who of your mail contacts uses PGP properly or at all? Ironically the only secure messaging solutions for the masses are centralized.

A bit large but, might be an option: Zimbra. Multidomain and spam out of the box. Certs are well documented. Just disable logging which consumes way too much resources.
Guides
- [WayBack] Mailserver mit Dovecot, Postfix, MySQL und Rspamd unter Debian 9 Stretch
- [WayBack] ISPmail tutorials – workaround.org (Postfix, Dovecot IMAP/POP3 and MySQL backend on a Debian server just)
  - [WayBack] ISPmail guide for Debian Stretch – workaround.org
  - [WayBack] ISPmail guide for Debian Jessie – workaround.org
  - The above cover (though I wish it did without MariaDB / MySQL):
    - Receive emails on your domain(s).
    - Filter out spam and malware.
    - Send emails out to any other servers/domains on the internet. Connections will be encrypted when possible.
    - Add cryptographic signatures (DKIM) to outgoing emails.
    - Store as many emails for as many email addresses as you have disk space. Set limits (“quotas”) per user.
    - Let your users fetch email using IMAP or POP3 and send email through your servers using SMTP.
    - Allow users to manage server-based filter rules. Distribute incoming emails to different folders. Forward copies. Or send out-of-office notifications.
    - Provide a webmail interface so users can access their emails securely from any location.
    - Mitigate brute force attacks.

Things to do:

find a proper multi-MX fallback setup guide for postfix

–jeroen

Read the rest of this entry »

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, postfix, Power User, SMTP | Leave a Comment »

« Previous Entries

Next Entries »

	Attila Kovacs on Crowbarring Windows 95 into Wi…
	Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N…
	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…
	Thaddy de Koning on Formulier voor bewindvoerders…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for 2019

Some links on keystore, encryption and decryption on Android

The company as a social engine – The Isoblog.

Delphi Declarations and Statements: Hinting Directives

GitHub – GoogleChromeLabs/ndb: ndb is an improved debugging experience for Node.js, enabled by Chrome DevTools

6502 emulation: the ICE, or in-circuit-emulator…

keyman/DevDelphiStarterCompileWrapper.pas at master · keymanapp/keyman

Some commands and links from “Praktijk | Windows PE”; Softlink 1807114 – c’t magazine

If the downloading PDF reports (like bank statements) from the new ABN AMRO on-line banking environment fails: try the old environment

RawGit is going away: redirect your content before October 2019 (it does disappear after that)

What you should use instead

‪Dear #lazyweb, can anyone point me to a modern email server setup (just emai…

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for 2019

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

What you should use instead

Rate this:

Share this:

Rate this:

Share this: