Conor Patrick built humself u2f-zero an U2F USB token optimized for physical security, affordability, and style.
He open sourced the hardware and software at conorpp/u2f-zero.
–jeroen
conorpp/u2f-zero: U2F USB token optimized for physical security, affordability, and style
Posted by jpluimers on 2016/10/26
Posted in Development, Hardware Development | Leave a Comment »
OpenSuSE Tumbleweed: after installing from ISO, be sure to disable/remove the ISO repo
Posted by jpluimers on 2016/10/26
TL;DR: OpenSuSE Tumbleweed – after installing from ISO, be sure to disable/remove the ISO repo.
A while ago I had a weird thing on my OpenSuSE Tumbleweed system while upgrading (yes, zypper dist-upgrade is the recommended way to update Tumbleweed): it would complain in this way zypper dup indicates python3-urllib3-1.16-1.1.noarch requires python(abi) = 3.5:
# zypper dup Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you continue. See 'man zypper' for more information about this command. Loading repository data... Reading installed packages... Computing distribution upgrade... Problem: python3-urllib3-1.16-1.1.noarch requires python(abi) = 3.5, but this requirement cannot be provided Solution 1: Following actions will be done: deinstallation of python3-urllib3-1.15.1-2.1.noarch deinstallation of python3-wheel-0.29.0-2.1.noarch deinstallation of speedtest-cli-0.3.2-4.3.noarch deinstallation of python3-six-1.10.0-4.1.noarch deinstallation of python3-pycparser-2.14-2.1.noarch deinstallation of python3-pyasn1-0.1.9-2.1.noarch deinstallation of python3-pyOpenSSL-16.0.0-3.1.noarch deinstallation of python3-idna-2.1-1.1.noarch deinstallation of python3-chardet-2.3.0-1.4.noarch Solution 2: keep obsolete python-cupshelpers-1.5.7-7.2.noarch Solution 3: break python3-urllib3-1.16-1.1.noarch by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/3/c] (c):
What eventually – with help from the excellent help by DimStar on the #openSUSE-factory IRC channel – led to the solution was the part Solution 2: keep obsolete python-cupshelpers-1.5.7-7.2.noarch.
But first let’s look at the installed versions and repos:
Share this:
Posted in *nix, Development, Internet, Linux, openSuSE, Power User, Scripting, Software Development, SpeedTest, SuSE Linux, Tumbleweed | Leave a Comment »
How to copy files from one machine to another using ssh – Unix & Linux Stack Exchange
Posted by jpluimers on 2016/10/25
I’m using Linux (centos) machine, I already connected to the other system using ssh. Now my question is how can I copy files from one system to another system?
Source: How to copy files from one machine to another using ssh – Unix & Linux Stack Exchange
Nice question, uh? In my opinion the best answer is “Use scp to avoid going through hoops with complex configurations to re-use your existing ssh connection” like this:
To copy a file from
BtoAwhile logged intoB:scp /path/to/file username@A:/path/to/destinationTo copy a file from
BtoAwhile logged intoA:scp username@B:/path/to/file /path/to/destinationSource: DopeGhoti answering How to copy files from one machine to another using ssh – Unix & Linux Stack Exchange
Instead the question is marked duplicate of SSH easily copy file to local system – Unix & Linux Stack Exchange where (contrary to the ‘easily’ part of the question) go through hoops and loops with all kinds of fancy ssh settings and port forwards.
Recursive
For recursive, use the -r option, as per [WayBack] shell – How to copy a folder from remote to local using scp? – Stack Overflow:
scp -r user@your.server.example.com:/path/to/foo /home/user/Desktop/From
man scp(See online manual)
-r Recursively copy entire directories
Related:
Share this:
Posted in *nix, *nix-tools, bash, Communications Development, Development, Internet protocol suite, Power User, Scripting, Software Development, SSH, TCP | Leave a Comment »
Readable code – and the long lost secret of how to achieve it on Vimeo
Posted by jpluimers on 2016/10/25
Uncle Bob’s 5-liners are not the way to go, nor are all those glue frameworks as they hide the complexity to places nobody can mentally reconstruct them.
So:
- Find a balance between method length and your drive to refactor.
- Learn to read.
Thanks Christin Gorman for this great little and very much to the point presentation.
–jeroen
Share this:
Posted in Development, Software Development | Leave a Comment »
I don’t have #IoT. I have #LoT. LAN of things.
Posted by jpluimers on 2016/10/24
Interesting thought:
Devices in a separate LAN (or VLAN) with no default gateway and some firewall rules to access them from your regular LAN and update them through FWUPD an open source firmware update.
Sounds like a dream? We should all make it come true!
Read I don’t have #IoT. I have #LoT. LAN of things. for more ideas.
–jeroen
Share this:
Posted in IoT Internet of Things, Network-and-equipment, Power User | Leave a Comment »
Some links on converting non KVM VMs to Proxmox
Posted by jpluimers on 2016/10/24
Gut feeling indicates I need these someday:
- Source: Linux-KVM: Migrating Hyper-V VHD Images to KVM – IT From All Angles
- Source: Migration of servers to Proxmox VE – Proxmox VE
- Source: Migrate Hyper-V Machine to Proxmox KVM | Proxmox Support Forum
- Source: Migration of VMware image to KVM on LVM (raw) | Proxmox Support Forum
From VHD to Proxmox you need to convert to RAW not IMG:
# qemu-img convert -f vpc -O raw PATH/to/DISK.vhd PATH/to/DISK.raw
–jeroen
Share this:
Posted in Power User, Proxmox, Virtualization | Leave a Comment »
List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too
Posted by jpluimers on 2016/10/24
This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).
It is one of the most horrible things that can be done for a password.
Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.
In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):
Share this:
Posted in Delphi, Development, Hashing, https, OpenSSL, Power User, Public Key Cryptography, QC, Security, Signing, Software Development | 3 Comments »
The IoT strikes back again: half a million IoT devices killed DYN DNS for hours, but fixing this will be hard
Posted by jpluimers on 2016/10/22
Less than a month after The IoT strikes back: 650 Gigabit/second and 1 Terabit/second attacks by IoT devices within a week the IoT struck back again: an estimated half a million IoT devices was used to perform multiple DDoS attacks against Dyn Managed DNS that took around 11 hours to resolve.
Google DNS appears to “live” near me in Amsterdam
High availability usually involves a mix of DNS TTL and/or BGP routing. That’s typically how CDN providers like Cloudflare work (it’s one of the reasons that global DNS servers like Google’s 8.8.8.8 appear near to you and over time routes – some MPLS – to it change). Short DNS TTL can help CDN, requires a very stable DNS infrastructure and is similar to but different from a Fast Flux network.
Last months attacks were on a security researcher and a single ISP. The Dyn DNS attack affected even more internet services (not just sites like Twitter, WhatsApp, AirBnB and Github). So I’m with Bruce Schneier that Someone Is Learning How to Take Down the Internet.
Handling these attacks is hard as the DDoS mitigation firms simply cannot handle the sudden increase of attack sizes yet. BCP38 should be part of mitigation, but the puzzle is big and fixing it won’t be easy though root-causes of bugs change as a lot of research is in progress.
I’m not alone in expecting it to get worse though before getting better.
On the client side, I learned that many users could cope by changing their DNS servers to either of these Public DNS Servers:
- OpenDNS 208.67.222.222, 208.67.220.220, 208.67.222.220, 208.67.220.222
- OpenDNS does a good job of handing “last known good” IPs when they can’t resolve.
- Google Public DNS 8.8.8.8, 8.8.4.4
- Level 3 DNS 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6
Some more interesting tidbits on the progress and mitigation on this particular attack are the over time heat-maps of affected regions and BGP routing changes below.
Share this:
Posted in CDN (Content Delivery Network), Cloud, Cloudflare, DNS, Hardware, Infrastructure, Internet, IoT Internet of Things, Network-and-equipment, Opinions, Power User | Leave a Comment »
display – How can I move spaces between external monitors in Mavericks? – Ask Different
Posted by jpluimers on 2016/10/21
display – How can I move spaces between external monitors in Mavericks? – Ask Different [WayBack]
You can only move spaces which are non-active.
For example, lets say you have spaces 1 and 2. If space 1 is active, you can not move it. You first have to select space 2 then you can move space 1 to a different monitor.
This helped me work around version 8.35 of Microsoft Remote Desktop for OS X breaks second monitor usage [WayBack]:
- Double click a connection so it goes to a new space on the primary display
- Make the normal space active (by three finger swiping on the primary display)
- Go to mission control
- Move the non-active RDP space to the secondary monitor
Sometimes the primary monitor doesn’t have a non-active space any more so you have to create a new one in the top right of Mission Control [WayBack].
–jeroen
Share this:
Posted in Apple, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Pro, OS X 10.9 Mavericks, Power User, Remote Desktop Protocol/MSTSC/Terminal Services, Windows | Leave a Comment »
How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ]
Posted by jpluimers on 2016/10/21
There is a nasty (Dirty COW: CVE-2016-5195) Linux kernel bug with zero-day exploits floating around
OpenSuSE updates will be available soon (likely this weekend); from the #openSUSE-factory IRC channel :
wiert: any E.T.A. for CVE-2016-5195 in the various releases?
…_Marcus_: 13.1 and 42.1 i just released. 13.2 submission i am still awaiting, so release likely tomorrow
…wiert: How about Tumbleweed?
…DimStar: for TW, I have it in staging and will try to squeeze it into the 1021 snapshot
so unlike something really bad happened, it should be shipping tomorrow or Sunday
via: How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ] [WayBack]
Progress can be tracked at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2016-5195 (via simotek a.k.a. Simon Lees at IRC). Hopefully 13.2 will get released on Monday.
Edit: 13.2 didn’t make it on monday. Progress can be found via https://build.opensuse.org/project/maintenance_incidents/openSUSE:Maintenance (slow loading page!) and is at https://build.opensuse.org/project/show/openSUSE:Maintenance:5752
More exploits at https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
–jeroen
Testing 13.2:
# zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo # zypper patch
This works fine in await of the formal update process and me testing it resulted in the release of the kernel to the official 13.2 update, but note you still have to reboot after the update even though the process doesn’t tell you that:
wiert: @_Marcus_ “klopt als een zwerende vinger” or in English: works splendid. install and test log at https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e wiert: @_Marcus_ thanks about teaching me about `zypper patch`. Need to run for the fundraising event now. _Marcus_: wiert: thanks :) wiert: @_Marcus_ no problem. Given the work you guys (and gals?) do it’s a small thing with the added bonus of contributing to my motto “life is about learning new things every day”. _Marcus_: after your feedback i have now released the kenel ;) wiert: @_Marcus_ great, looking forward to the actual update later. Thanks a lot! wiert: @_Marcus_ I’ve updated the gist: 13.2 plus official dirty-COW update needs reboot, but the update process doesn’t list about reboot. Didn’t get the full zypper output, but I after updating I did a before/after reboot comparison of the behaviour. Results in https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e#file-testing-official-update-before-reboot-then-reboot-retest-txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo | |
| Adding repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' ……………………………………………………………………………………………………………………………………………………………………………..[done] | |
| Repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' successfully added | |
| Enabled : Yes | |
| Autorefresh : No | |
| GPG Check : Yes | |
| URI : http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/ | |
| # zypper patch | |
| New repository or package signing key received: | |
| Repository: openSUSE:Maintenance:5752 (openSUSE_13.2_Update) | |
| Key Name: openSUSE:Maintenance OBS Project <openSUSE:Maintenance@build.opensuse.org> | |
| Key Fingerprint: 7C097045 B0D351D3 69AC453A 598D0E63 B3FD7E48 | |
| Key Created: Thu Aug 6 11:49:53 2015 | |
| Key Expires: Sat Oct 14 11:49:53 2017 | |
| Rpm Name: gpg-pubkey-b3fd7e48-55c32dc1 | |
| Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): t | |
| Building repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' cache ………………………………………………………………………………………………………………………………………………………………………[done] | |
| Loading repository data… | |
| Reading installed packages… | |
| Resolving package dependencies… | |
| The following NEW package is going to be installed: | |
| kernel-default-3.16.7-45.1 | |
| The following NEW patch is going to be installed: | |
| 5752 | |
| 1 new package to install. | |
| Overall download size: 45.2 MiB. Already cached: 0 B After the operation, additional 213.5 MiB will be used. | |
| Continue? [y/n/? shows all options] (y): y | |
| Retrieving package kernel-default-3.16.7-45.1.x86_64 (1/1), 45.2 MiB (213.5 MiB unpacked) | |
| Retrieving: kernel-default-3.16.7-45.1.x86_64.rpm ……………………………………………………………………………………………………………………………………………………………………………………[done (3.6 MiB/s)] | |
| Checking for file conflicts: …………………………………………………………………………………………………………………………………………………………………………………………………………………[done] | |
| (1/1) Installing: kernel-default-3.16.7-45.1 …………………………………………………………………………………………………………………………………………………………………………………………………..[done] | |
| Additional rpm output: | |
| warning: /var/cache/zypp/packages/openSUSE_Maintenance_5752/x86_64/kernel-default-3.16.7-45.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID b3fd7e48: NOKEY | |
| Creating initrd: /boot/initrd-3.16.7-45-default | |
| Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default | |
| dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! | |
| dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| *** Including module: bash *** | |
| *** Including module: warpclock *** | |
| *** Including module: i18n *** | |
| *** Including module: ifcfg *** | |
| *** Including module: btrfs *** | |
| *** Including module: kernel-modules *** | |
| Failed to install module sd_mod | |
| Failed to install module unix | |
| Failed to install module atkbd | |
| Failed to install module i8042 | |
| Omitting driver i2o_scsi | |
| Failed to install module swap | |
| *** Including module: resume *** | |
| *** Including module: rootfs-block *** | |
| *** Including module: terminfo *** | |
| *** Including module: udev-rules *** | |
| Skipping udev rule: 91-permissions.rules | |
| Skipping udev rule: 80-drivers-modprobe.rules | |
| *** Including module: systemd *** | |
| Failed to install module autofs4 | |
| Failed to install module ipv6 | |
| *** Including module: usrmount *** | |
| *** Including module: base *** | |
| *** Including module: fs-lib *** | |
| *** Including module: shutdown *** | |
| *** Including module: suse *** | |
| *** Including modules done *** | |
| *** Installing kernel module dependencies and firmware *** | |
| *** Installing kernel module dependencies and firmware done *** | |
| *** Resolving executable dependencies *** | |
| *** Resolving executable dependencies done*** | |
| *** Hardlinking files *** | |
| *** Hardlinking files done *** | |
| *** Stripping files *** | |
| *** Stripping files done *** | |
| *** Generating early-microcode cpio image *** | |
| *** Constructing GenuineIntel.bin **** | |
| *** Store current command line parameters *** | |
| Stored kernel commandline: | |
| resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b | |
| root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs | |
| *** Creating image file *** | |
| *** Creating image file done *** | |
| Some kernel modules could not be included | |
| This is not necessarily an error: | |
| sd_mod | |
| unix | |
| atkbd | |
| i8042 | |
| swap | |
| autofs4 | |
| ipv6 | |
| Update bootloader… | |
| Warning: One of installed patches requires reboot of your machine. Reboot as soon as possible. | |
| # reboot |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (1/3) Installing: kernel-default-3.16.7-45.1 ……………………………………………………………………………………………….[done] | |
| Additional rpm output: | |
| Creating initrd: /boot/initrd-3.16.7-45-default | |
| Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default | |
| dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! | |
| dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| *** Including module: bash *** | |
| *** Including module: warpclock *** | |
| *** Including module: i18n *** | |
| *** Including module: ifcfg *** | |
| *** Including module: btrfs *** | |
| *** Including module: kernel-modules *** | |
| Failed to install module sd_mod | |
| Failed to install module unix | |
| Failed to install module atkbd | |
| Failed to install module i8042 | |
| Omitting driver i2o_scsi | |
| Failed to install module swap | |
| *** Including module: resume *** | |
| *** Including module: rootfs-block *** | |
| *** Including module: terminfo *** | |
| *** Including module: udev-rules *** | |
| Skipping udev rule: 91-permissions.rules | |
| Skipping udev rule: 80-drivers-modprobe.rules | |
| *** Including module: systemd *** | |
| Failed to install module autofs4 | |
| Failed to install module ipv6 | |
| *** Including module: usrmount *** | |
| *** Including module: base *** | |
| *** Including module: fs-lib *** | |
| *** Including module: shutdown *** | |
| *** Including module: suse *** | |
| *** Including modules done *** | |
| *** Installing kernel module dependencies and firmware *** | |
| *** Installing kernel module dependencies and firmware done *** | |
| *** Resolving executable dependencies *** | |
| *** Resolving executable dependencies done*** | |
| *** Hardlinking files *** | |
| *** Hardlinking files done *** | |
| *** Stripping files *** | |
| *** Stripping files done *** | |
| *** Generating early-microcode cpio image *** | |
| *** Constructing GenuineIntel.bin **** | |
| *** Store current command line parameters *** | |
| Stored kernel commandline: | |
| resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b | |
| root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs | |
| *** Creating image file *** | |
| *** Creating image file done *** | |
| Some kernel modules could not be included | |
| This is not necessarily an error: | |
| sd_mod | |
| unix | |
| atkbd | |
| i8042 | |
| swap | |
| autofs4 | |
| ipv6 | |
| Update bootloader… | |
| (2/3) Installing: ghostscript-9.15-6.1 …………………………………………………………………………………………………….[done] | |
| (3/3) Installing: ghostscript-x11-9.15-6.1 …………………………………………………………………………………………………[done] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c | |
| $ gcc -lpthread dirtyc0w.c -o dirtyc0w | |
| $ sudo su – | |
| # echo this is not a test > foo | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap ffffffffffffffff | |
| madvise -100000000 | |
| procselfmem -100000000 | |
| $ cat foo | |
| cat: foo: No such file or directory | |
| $ sudo su – | |
| # cat foo | |
| this is not a test | |
| # logout |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cd /tmp/ | |
| $ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c | |
| $ gcc -lpthread dirtyc0w.c -o dirtyc0w | |
| $ sudo su – | |
| # echo this is not a test > foo | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap 7f6ab7207000 | |
| madvise 0 | |
| procselfmem 1800000000 | |
| $ cat foo | |
| m00000000000000000 | |
| $ sudo su – | |
| # reboot | |
| login | |
| $ cd /tmp/ | |
| $ sudo su – | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap 7f5465983000 | |
| madvise 0 | |
| procselfmem 1800000000 | |
| $ cat foo | |
| this is not a test |
Share this:
Posted in *nix, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
The Wiert Corner - irregular stream of stuff 