The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,839 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Anyone tried #Telegram to communicate securely?

Posted by jpluimers on 2021/01/22

Below are a few comments from [WayBack] Anyone tried #Telegram to communicate securely? Some nice features there… Looks way more secure than WeChat and all that. Thoughts? https://telegram…. – Jason Mayes – Google+.

The consensus seems to be

  • Signal is the way to go for secure chat. It is open source too.
  • When chatting with groups of people, there is technical security, but not social security.
  • Telegram is easier to use than some other chat platforms, and has a large user base.

The comments:

  • Ryan Ostendorf's profile photo
    Ryan Ostendorf+5
    Telegram is pretty nice, but its security leaves much to be desired. If it’s security and true privacy you want, Signal is the way to go.
  • M.A. Zaki's profile photo
    M.A. Zaki
    Hi+Ryan Ostendorf signal is indeed a way to go but didn’t have big users number compared to Telegram.
  • Wayne Harris's profile photo
    Wayne Harris+2

    I use telegram, discord, slack & hangouts for variousn groups i talk with. Of those, telegeam is my preferred for ease of use etc. One thing i would like to see is a “index” of groups to maybe easier prioritise what i want to read (a-la how discord wokrs with its different servers) but im so used to the flat style of telegram/hangouts that i dont have a huge issue with its current design

    Re security, im not an expert, but it seems ok, with multuple options available. Havent heard of anything being intercepted/hacked, but who really know what our alien overlords – err governments – and other interested parties are up to behind the scenes.

  • oon arfiandwi (OonID)'s profile photo
    oon arfiandwi (OonID)+2
    I use telegram more than whatsapp. I found many technical group discussion (at least for Indonesian) because telegram supports a huge amount of members per group.
    also, the telegram bot and channel give a unique feature for a developer to build an application on top of it.
  • Jason Mayes's profile photo
    Jason Mayes+1
    +Ryan Ostendorf oooh thanks I shall check it out
  • Jason Mayes's profile photo
    Jason Mayes+1
    Thanks everyone for feedback!
  • Leo Turing's profile photo
    Leo Turing+3
    I am using Telegram for 5 years now. Far faster and better than WhatsApp in many ways.
  • Christopher Gaul's profile photo
    Christopher Gaul+1

    It’s security level depends on who you ask. If you take their word at face value it’s great. If you believe the rumors it’s totally bent by U.S. surveillance agencies.

    Feature wise it’s decent otherwise.

    A few of us are on the hunt for a good, secure, multi platform messaging platform to replace Hangouts when they kill that. We’ve narrowed it down to a few that we’re testing.

    Signal was good until they killed their linux and browser clients.

    Retroshare is on the to test list along with…

    Viber.

    Tox.

  • epsi nurwijayadi's profile photo
    epsi nurwijayadi+1

    I have been a telegram user since october 2017.

    And I wonder, how do telegram make profit.

    Who is paying for the server to be alive ?

  • Christopher Gaul's profile photo
    Christopher Gaul+1
    Side note. You can just assume that any product based out of the U.S. or any Five Eyes country is not secure. I wouldn’t trust anything EU based either. What’s that leave you?
  • Christopher Gaul's profile photo
    Christopher Gaul+1
    +epsi nurwijayadi
    The NSA no doubt is footing the bills.
  • x Meta x's profile photo
    x Meta x+2
    For dependable privacy, I use two cans and a string.
  • Jason Mayes's profile photo
    Jason Mayes+4
    +x Meta x I can use a laser pointed at your string to measure the sound being transferred over it though
  • x Meta x's profile photo
    x Meta x+1

    +Jason Mayes …..

    …. Curses! Foiled again!

  • Wayne Harris's profile photo
    Wayne Harris
    I use the postal service. Nobody sends anything via that these days other than birthday cards from Nanna’s, so my most private missives go conpletely un-noticed by the authorities
  • epsi nurwijayadi's profile photo
    epsi nurwijayadi
    +Wayne Harris good idea
  • Jason ON's profile photo
    Jason ON
    I downloaded Telegram yesterday, in fact. Haven’t had a chance to try it out yet as I don’t know anyone using it. I had thought it would be more like BBM, with public groups in a social media-lite feature, but it’s not.
  • M.A. Zaki's profile photo
    M.A. Zaki
    +Jason ON telegram got more than that. The setting let you do much more.
  • epsi nurwijayadi's profile photo
    epsi nurwijayadi
    I remember getting very happy, when I got telegram from my father when I was a kid in about 80s. He had duty in other island faraway from home.
  • Willem Oosting's profile photo
    Willem Oosting+1

    +Jason Mayes Check out Keybase.io they strike a sweet balance between Wire-like security (encrypted group chats), and Telegram-like usability/looks. And I thought it’s FOSS!

    Keybase

    Keybase
    keybase.io
  • Robert Wallis's profile photo
    Robert Wallis

    Telegram has a very tempting feature set for a “messaging” service.

    I have recently started using it. Top reasons I like it so far are the ability to add a username, which means I can be available without giving people my phone number.

    My URL 👉 t.me/qwallis

    Also the ability to have branded public broadcast channels is different. I’ve set one up for London Meet-ups for +Happening London the URL for that is here 👉 t.me/HappeningLondon

    Any public post cam be embedded, so I’m surfacing the next meet-up on the +Happening London web site too 👉 happeninglondon.co.uk

    Those feature (and others) make Telegram interesting.

  • Christopher Gaul's profile photo
    Christopher Gaul+2

    +Robert Wallis I agree. With the caveat that this is as long as you aren’t expecting 100% guaranteed secure communications.

    Of course the question of whether such a thing even exists is valid. But in Telegram’s case, at least expect your local Five Eyes government surveillance state to be “reading” them.

  • Jonas Hellström (shellström)'s profile photo
    Jonas Hellström (shellström)
    I’m giving Matrix/Synapse and riot.im a whirl.
    Mostly because I can selfhost it, and it’s got some good things going for it, like encrypted convos.
    They still got a mile or two on their clients and that’s where I’m holding off on inviting everyone and their dogs until there’s something that can be used by more people without becoming a troubleshooting nightmare/”this isn’t as easy as whatsapp. Can’t we use messenger instead?” kind of deal.

    Riot – Riot – open team collaboration

    Riot – Riot – open team collaboration
    about.riot.im
  • Robert Wallis's profile photo
    Robert Wallis

    +Christopher Gaul yeah, but where aren’t they?

    As far as I understand Telegram has been validated for “secret chats” between two users, where security models are more easily implemented, but for groups of up to 200,00 that’s never going to be “secret” just hidden, and public broadcast channels are … well public.

–jeroen

Posted in Chat, Keybase, LifeHacker, Power User, Security, SocialMedia, Telegram | Leave a Comment »

Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.

Posted by jpluimers on 2021/01/11

Cool: [WayBack] Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.

Their motivation and background: [WayBack] About Internet.nl

–jeroen

Posted in Encryption, HTTPS/TLS security, Power User, Security | Leave a Comment »

GitHub – andOTP/andOTP: Open source two-factor authentication for Android

Posted by jpluimers on 2021/01/05

[WayBack] GitHub – andOTP/andOTP: Open source two-factor authentication for Android.

A few highlights:

  • andOTP is a two-factor authentication App for Android 4.4+.It implements Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). Simply scan the QR code and login with the generated 6-digit code.
  • OpenPGP: OpenPGP can be used to easily decrypt the OpenPGP-encrypted backups on your PC.
  • BroadcastReceivers: AndOTP supports a number of broadcasts to perform automated backups, eg. via Tasker. These will get saved to the defined backup directory. These only work when KeyStore is used as the encryption mechanism
    • org.shadowice.flocke.andotp.broadcast.PLAIN_TEXT_BACKUP: Perform a plain text backup. WARNING: This will save your 2FA tokens onto the disk in an unencrypted manner!
    • org.shadowice.flocke.andotp.broadcast.ENCRYPTED_BACKUP: Perform an encrypted backup of your 2FA database using the selected password in settings.
  • All three versions (Google Play, F-Droid and the APKs) are not compatible (not signed by the same key)! You will have to uninstall one to install the other, which will delete all your data. So make sure you have a current backup before switching!

PlayStore: [WayBack] andOTP – Android OTP Authenticator – Apps on Google Play

•  Free and Open-Source
•  Requires minimal permissions:
•  Camera access for QR code scanning
•  Storage access for import and export of the database
•  Encrypted storage with two backends:
•  Android KeyStore (can cause problems, please only use if you absolutely have to)
•  Password / PIN
•  Multiple backup options:
•  Plain-text
•  Password-protected
•  OpenPGP-encrypted
•  Sleek minimalistic Material Design with three different themes:
•  Light
•  Dark
•  Black (for OLED screens)
•  Great Usability
•  Compatible with Google Authenticator

Via: [WayBack] ‘Aanvallen via ss7-protocol om 2fa-sms’jes te onderscheppen nemen toe’ – Computer – Nieuws – Tweakers

Check out @Jaykul’s Tweet: https://twitter.com/Jaykul/status/1091200778121957377

Instead of Google authenticator and Authy

Via https://twitter.com/martinfowler/status/1091097388201230339

Related :

Nope. It’s just a secret encoded in a QR code.

Here’s the docs on the format of the URI in the QR code: https://t.co/AJhT6PFAzx

The QR code delivers a simple, durable, shared secret.

Use U2F if you can. It is much safer, as it cannot be phished or copied.

Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario.

Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?

 

–jeroen

Posted in Android, Authy, Development, Mobile Development, Security, Software Development | Leave a Comment »

mkcert: valid HTTPS certificates for localhost (Windows/Mac/Linux) — a short blog post about it, by FiloSottile

Posted by jpluimers on 2020/12/21

Cool: [WayBack] Filippo Valsorda on Twitter: “mkcert: valid HTTPS certificates for localhost — a short blog post mkcert now that it’s almost done 🔒 “

Blog post: [WayBackmkcert: valid HTTPS certificates for localhost:

The web is moving to HTTPS, preventing network attackers from observing or injecting page contents. But HTTPS needs TLS certificates, and while deployment is increasingly a solved issue thanks to the ACME protocol and Let’s Encrypt, development still mostly ends up happening over HTTP because no one can get an…

Code: [WayBack] GitHub – FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you’d like.

It is cross platform and works way better than good old Windows makecert (which is from the 2000’s era: [Archive.is] Public Key Infrastructure: Second European PKI Workshop: Research and … – David Chadwick, Greece) European PKI Workshop: Research and Applications (1st : 2004 : Samos Island – Google Books).

Related:

–jeroen

Read the rest of this entry »

Posted in *nix, Apple, Encryption, HTTPS/TLS security, Linux, Mac OS X / OS X / MacOS, Power User, Security, Windows | Leave a Comment »

gpg creation and sign Gino’s Key ($1785651) · Snippets · GitLab

Posted by jpluimers on 2020/12/04

Boy it was a long time ago that I did anything with gpg. Here is how to generate and sign keys.

[WayBack] gpg creation and sign Gino’s Key ($1785651) · Snippets · GitLab

And here to check your email confguration:

[WayBack] Home – dmarcian Founded in 2012 by the primary author of the DMARC specification, dmarcian is dedicated to upgrading the entire world’s email by making DMARC accessible to all. dmarcian brings together thousands of senders, vendors, and operators in a common effort to build DMARC into the email ecosystem.

–jeroen

Posted in *nix, Power User, Security | Leave a Comment »

Bootable virus scanners supporting ntfs

Posted by jpluimers on 2020/11/09

I was looking for a bootable virus scanner supporting NTFS. Kaspersky was the first one I found, and it worked well.

Back then, these were the output locations:

The HTTP link can be convenient for locations that do not support TLS (cough, VMware ESXi wget, cough), which are OK if you calculate the sha256 hash from the TLS link first.

Likely there is a 2020 version by now.

I got the links via:

I might try BitDefender later.

–jeroen

Posted in LifeHacker, Power User, Security | Leave a Comment »

OpenCandy – Wikipedia

Posted by jpluimers on 2020/11/06

Hmm, one of my machines contained OpenCandy – Wikipedia as found by Malwarebytes (software) – Wikipedia:

Tracking back the installation, revealed it came with ImgBurn 2.5.8.0, which is now on my black-list.

In my case this was how to remove it:

rd /s /q %AppData%\OpenCandy

This is not universal; you might need to take additional measures like in [WayBack] How to Remove PUP.Optional.OpenCandy (Removal Guide).

I use this batch-file to get the most recent Malwarebytes and Chameleon:

get-malware-bytes.bat 

:: redirects to something like wget https://data-cdn.mbamupdates.com/web/mb3-setup-consumer/mb3-setup-consumer-3.6.1.2711-1.0.508-1.0.8211.exe
wget --content-disposition https://downloads.malwarebytes.com/file/mb3/
:: redirects to something like wget https://data-cdn.mbamupdates.com/web/mbam-chameleon-3.1.33.0.zip
wget --content-disposition https://downloads.malwarebytes.com/file/chameleon/

If you do not have wget on your system, then try this PowerShell alternative (which does not show progress) via [WayBack] Windows batch file file download from a URL – Stack Overflow

:: in case you do not have wget:
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://downloads.malwarebytes.com/file/mb3/', 'mb3.exe')"
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://downloads.malwarebytes.com/file/chameleon/', 'chameleon.exe')"
:: note these do not show progress!
:: https://stackoverflow.com/questions/4619088/windows-batch-file-file-download-from-a-url

Related: [WayBackJeroen Pluimers on Twitter: “What if the most recent @Malwarebytes on a Windows 8.1 x64 VM (all patches installed) on ESXi backed by NVME hangs for hours on one file with hardly any CPU usage? Screenshots of mbam.exe, mbamservice.exe and mbamtray.exe thread usage below.

–jeroen

Posted in *nix, *nix-tools, LifeHacker, Power User, Security, wget, Windows | Leave a Comment »

Ik ben wat verward over de @WoonVeilig site. https://t.co/ui8agTkgM9 heeft het bijvoorbeeld over GATE-03 en GATE-02, maar https://t.co/QswkrlsuZY over ALARM-03 en SMARTHOME-01. Ook heeft SMARTHOME-01 meer accessoires dan ALARM-03. Werken die extra (zoals CO-25) niet op ALARM-03?”

Posted by jpluimers on 2020/11/02

[WayBack] “Ik ben wat verward over de @WoonVeilig site. www.woonveilig.nl/juiste-producten- heeft het bijvoorbeeld over GATE-03 en GATE-02, maar www.woonveilig.nl/klantenservice/handleidingen over ALARM-03 en SMARTHOME-01. Ook heeft SMARTHOME-01 meer accessoires dan ALARM-03. Werken die extra (zoals CO-25) niet op ALARM-03?”

Wat linkjes:

Tweakers.net:

Concurrentie: SmartAlarm; ook met beperking IP-only.

Meer domotica dan concurrentie: HomeWizard.

Over het hoe en waarom:

–jeroen

Read the rest of this entry »

Posted in LifeHacker, Power User, Security | Leave a Comment »

Facebook ist in Bezug auf Kundenzufriedenheit und Vertrauen in Umfragen zieml…

Posted by jpluimers on 2020/10/16

Nice thread as it talks a bit about how keep your own stuff secure with companies doing MitM, or have VPN infrastrcuture.

[WayBack] Facebook ist in Bezug auf Kundenzufriedenheit und Vertrauen in Umfragen zieml…

Most larger TLS based web-sites now have HSTS so detect MitM.

Having a proxy locally helps checking the certificates.

Corporate laptops usually has device management. If they use MitM, their root certificates are usually put back automatically. But not all software uses the same root certificate store (:

In the past, I have used [WayBack] cntlm, or VPN (routing only corporate traffic over VPN).

There are corporate VPN variants, which take over the complete routing table or even run arbitrary scripts as root on your box on connect in order to do “endpoint validation”. And then there is OpenVPN, which routes the traffic that the company shall see to the company and lets you use normal connectivity for the rest.

You want openvpn, in all cases.

Another trick I have used is to VPN/SSH out of a corporate box and route some of the traffic over it.

Finally, for some larger corporate VPN software, there is an open source replacement that has better configuration options: OpenConnect supports AnyConnect, Juniper and GlobalProtect.

Related: picture on the right via [WayBack] Torsten Kleinz – Google+

–jeroen

Posted in Cntlm, Encryption, HTTPS/TLS security, Power User, Security, Windows, Windows-Http-Proxy | Leave a Comment »

Supermicro Bios Update – YouTube

Posted by jpluimers on 2020/09/14

I needed to get myself an OOB license for the BIOS update over the IPMI console or SUM (Supermicro Update Manager). An IPMI update can be done without an OOB license from the IPMI console, but the BIOS requires a license.

Links that initially helped me with that to get a feel for what I needed:

I thought that likely I need to purchase a key for it:

Obtain the license code from your IPMI BMC MAC address

But then I found out the below links on reverse engineering.

From those links, I checked both the Perl and Linux OpenSSL versions. Only the Perl version works on MacOS.

Then I fiddled with the bash version: unlike the OpenSSL version above, this one printed output. It wrongly printed the last groups of hex digits instead of the first groups of hex digits that the Perl script prints.

Here is the corrected bash script printing the first groups of hex digits (on my systems, I have an alias supermicro_hash_IPMI_BMC_MAC_address_to_get_OOB_license_for_BIOS_update for it):

#!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  #DEBUG
  echo "$mac"
  echo "$hexmac"
  echo "$code"

  echo "${code:0:4}-${code:4:4}-${code:8:4}-${code:12:4}-${code:16:4}-${code:20:4}"
}

Steps

Reverse engineering links

  • [WayBack] The better way to update Supermicro BIOS is via IPMI – VirtualLifestyle.nl

    Another way to update the BIOS via the Supermicro IPMI for free is simply calculating the license key yourself as described here: https://peterkleissner.com/2018/05/27/reverse-engineering-supermicro-ipmi/ [WayBack].

    • [WayBack] Reverse Engineering Supermicro IPMI – peterkleissner.com

      Algorithm:

      MAC-SHA1-96(INPUT: MAC address of BMC, SECRET KEY: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8)

      Update 1/14/2019: The Twitter user @astraleureka posted this code perl code which is generating the license key:

      #!/usr/bin/perl
use strict;
use Digest::HMAC_SHA1 'hmac_sha1';
my $key  = "\x85\x44\xe3\xb4\x7e\xca\x58\xf9\x58\x30\x43\xf8";
my $mac  = shift || die 'args: mac-addr (i.e. 00:25:90:cd:26:da)';
my $data = join '', map { chr hex $_ } split ':', $mac;
my $raw  = hmac_sha1($data, $key);
printf "%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX\n", (map { ord $_ } split '', $raw);

      Update 3/27/2019: There is also Linux shell version that uses openssl:

      echo -n 'bmc-mac' | xxd -r -p | openssl dgst -sha1 -mac HMAC -macopt hexkey:8544E3B47ECA58F9583043F8 | awk '{print $2}' | cut -c 1-24
    • [WayBack] Modular conversion, encoding and encryption online — Cryptii

      Web app offering modular conversion, encoding and encryption online. Translations are done in the browser without any server interaction. This is an Open Source project, code licensed MIT.

      Steps:

      1. In the left pane, select the “View” drop-down to be “Bytes”, then paste the HEX bytes of your IPMI MAC address there (like 00 25 90 7d 9c 25)
      2. In the middle pane, select the drop-down to become “HMAC” followed by the radio-group to be “SHA1“, then paste these bytes into the “Key” field: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8
      3. In the right pane, select the drop-down to become “Bytes”, then the “Group by” to become “2 bytes”, which will you give the output (where the bold part is the license key: 6 groups of 2 bytes): a7d5 2201 4eee 667d dbd2 5106 9595 2ff7 67b8 fb59

      Result:

    • Michael Stapelberg’s private website, containing articles about computers and programming, mostly focused on Linux.[WayBack] Securing SuperMicro’s IPMI with OpenVPN
    • [WayBack] GitHub – ReFirmLabs/binwalk: Firmware Analysis Tool
  • [WayBack] The better way to update Supermicro BIOS is via IPMI – VirtualLifestyle.nl

    Ahh…..a few corrections :-P

    #!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  #DEBUG
  echo "$mac"
  echo "$hexmac"
  echo "$code"
  echo "${code:9:4} ${code:13:4} ${code:17:4} ${code:21:4} ${code:25:4} ${code:29:4}"
}
#hex output with input
hash_mac "$1"

#Look out for the quotes, they might get changed by different encoding
  • [WayBack] The better way to update Supermicro BIOS is via IPMI – VirtualLifestyle.nl

    Thanks Peter. For anyone interested, here’s a bash script that takes the MAC as the only argument and outputs the activation key:

    #!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  ## DEBUG
  echo "$mac"
  echo "$hexmac"
  echo "$code"
  echo "${code:9:4} ${code:13:4} ${code:17:4} ${code:21:4} ${code:25:4} ${code:29:4}"
}
## hex output with input
hash_mac "$1"

 

–jeroen

Read the rest of this entry »

Posted in Development, Encoding, Hardware, Hashing, HMAC, Mainboards, OpenSSL, Power User, Security, SHA, SHA-1, Software Development, SuperMicro, X10SRH-CF | Leave a Comment »

« Previous Entries
Next Entries »