American Judges are nothing more than farmers

Where do american people study to become judges ? How can so foolish people become judges ? Just check this news from a Minessota court…

A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent.

Read about this hilarious matter.. I don’t care if the guy was in child pr0n industry…let him rot in jail…but PGP is NOT evidence that someone is using the power of the dark force to conquer the world. Make this judge a favour and sent him home to farm his fields…

grrrrrrr

another message on a wall

greeks only too…

I don’t need to comment on it 🙂

Introduction to TOR

Today I’ve decided to use Tor a bit. One can say it’s an anonymity tool…but it’s not only that. It’s something more like an underground internet community. You can read an excellent article about Tor too.

Some quotes from the Tor site:

Tor: An anonymous Internet communication system

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and more.

Your traffic is safer when you use Tor, because communications are bounced around a distributed network of servers, called onion routers. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the data came from or where it’s going. This makes it hard for recipients, observers, and even the onion routers themselves to figure out who and where you are. Tor’s technology aims to provide Internet users with protection against “traffic analysis,” a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security.

To the point…Using Tor and privoxy you have access to what’s inside the Tor network. There are hidden wikis, book collections and even more.
This link goes to Tor Network Hidden Wiki and this one goes to KIRA – online list of Tor featured sites.
Notes from the Underground is pretty cool too.

The complete details of connecting to the Tor world are here: Tor Documentation
Oh…if you want anonymous P2P with Tor…check this page about Tor+azureus.
Check this graffiti I’ve found while surfing a site inside the Tor network…I think that it’s great…

P.S. This was posted using the Tor network…my apache logs are clear about this 🙂

Bluetooth + Gentoo + SE K700i

Today I’ve done some first steps in connecting my new phone (sony ericsson k700i) to my box. I’ve borrowed a bluetooth usb dongle from a friend (thnx a lot chrys!) and started playing with it. First thing to do was read what was already documented. Starting at “HOWTO mobile phone, Bluetooth and GNOME” you can easily get a general idea on what’s needed. But there’s a major part missing… the creation of the correct devices.
That’s done by:
cd /dev && mknod rfcomm0 c 216 0 && mknod rfcomm1 c 216 1 && mknod ttyU0 c 208 0 && mknod ttyU1 c 208 1

Following the tutorial above, after having created the proper devices as stated above, is really easy to send files to your phone through nautilus. Just open it and “Send via bluetooth”.
When I have the time I will write about command line sending and receiving files.

Playing midi files at Gentoo linux

My new phone, Sony Ericsson K700i, supports polyphonic ringtones, mp3 or midi, so I downloaded a few from the internet and I wanted to upload them to the phone. Before doing so I also wanted to listen to them on my box. I had never tested playing midi files on my box so far so when I tried listening to them “out-of-the-box” I ran into problems.
I started reading Gentoo Linux ALSA Guide again.
Basically I just had to:
#emerge awesfx

and then load a soundfont … which is a good soundfont though ? Googling around I came up to this site which has a lot of information on soundfonts and has 2 great soundfonts available for linux. They might be BIG…but it’s worth it if you want extra high quality. The difference between those offered at PersonalCopy and the one provided by creative and included at alsa-project is just HUGE.
Just try them with:
# asfxload 8MBGMSFX.SF2
or
# asfxload UNISON.SF2

and play the same file…You’ll hear the clear difference.
You can use kmid to play the files and/or a collection of midi files. Don’t forget to choose your midi output device though…
# aplaymidi -l will give you the complete list of midi devices in your box. Before choosing the “correct” midi port in kmid try all out with:
# aplaymidi -p midi:port file.mid

Image Editing with gimp

I have just bought my new digital camera…and I want to be able to “play” with it as much as I can. There are stuff you can do with the camera…and stuff you can do at your box. Most photo editing tutorials are about photoshop and other windows utilities. This one provides some helpfull tips for editing pics with gimp. More gimp tutorials can also be found here, here, here, and here.
Some more interesting links:
How To Work With Your Digital Camera’s Histogram
The Arithmetic of Printing Images
Understanding Resolution

I hope that’s enough food for thought and practice for now…

Oh btw…I’ve “installed” Internet Explorer in my Gentoo Linux…for..”fun”…Just follow this nice tutorial if you want to learn how to do it. It’s simple…and useless 🙂

Message written on a wall

Greeks only…
Just check this and tell me if it isn’t great or what ? It’s written in a wall about 200m from my house…

The revenge of Internet Explorer

Who thought that my e-banking troubles were over? huh…
Today when I logged in I saw that I was able to create client certificates to verify money transfers. I can’t do money transfers without this certificate that the bank provides. So…I clicked on a few links with firefox…and ooooops…ERROR…I couldn’t create a certificate with firefox. It couldn’t find the “proper” security devices. I tried with my firefox @ work where I have windows installed. Same error. Then it was time for Internet Explorer. click click click…and I had a perfect certificate. I couldn’t export it though to use it with firefox. So Eurobank forces me to use Windows and IE to make money transfers. I DID NOT SIGN THAT on the agreement. I don’t have the money to buy windows @ home, I use Linux, period. It’s tooooooooo bad that they have some nice security features on their site…like virtual keyboard for typing passwords with a mouse, so you can’t get “sniffed” but they can’t make their site usable for all users.
I am going to call them tomorrow to ask them what can I do, if there is any hidden “link” that works with firefox and can provide me a client certificate…else…I will start looking for a new bank with better e-banking methods that will fully support Linux…and transfer my money there. What’s the use of having my money in a place I can’t “access” them ?

That’s the error message I get (it’s in Greek, sorry):

e-banking

I’ve just updated WordPress to 1.5.1. It supposedly has a lot of bugfixes…we’ll see. Anyway…to the point..

Today I’ve finally activated my e-banking account. The process was quite long…I had to go to a bank, sign some papers, then wait 4 days for a courrier to come and give me my passwords. After doing that I had to activate the account via telephone. But wait…I didn’t have telephone-banking enabled…so another 2 day delay until my telephone-banking account was enabled, and then I could finally enable my e-banking. When I first logged in I saw a very stupid page warning me that I should click on “the yellow locker in Internet Explorer” to make sure I was inside the right domain, bank’s domain.
– Well I don’t have IE…what should I do now master ?
– Use the force and click “CONTINUE” young Luke….
I clicked once…clicked twice…opened the url in another Tab…another Window…nothing…the frame would not let me go. I guess it had a special IE thingie that was not satisfied by my Firefox’s “click”…
Anyway…I closed the window…and tried re-logging in. No stupid welcome screen. Yuppi!
Browsing around, it felt like working. But I can’t be sure unless I have to transfer money to another account…then I shall see if I have one more of those stupid “use IE only please” warnings. I have the bank documents I signed in front of me…I see nowhere any term forcing me to use IE or windows only. Is e-banking only for the “serious” windows users ?
Oh and what’s the name of the bank ? Eurobank!
From the other hand it’s the only bank in Greece that offers the creation of digital certificates in order to make money transfers, and not a bunch of passwords that you have to change all the time.
So the score is… 1-1

missed me ?

I am on easter vacations (it’s Greece here…orthodox easter is after the catholic one) in my home town since 4-5 days now…I am on dialup so bare with my absence. It’s so so hard to be “online” with dialup..I can’t even read my emails properly. I was used to adsl@home and my university’s line…and now I feel really weird. I got no tech/IT/whatever news from here. My only “news” is that the PortableFirefox I have inside my usb key is a life savior. I can go with it in any friend’s house or netcafe and have everything I want with me…including my passwords that I don’t even have to type 🙂

The only new thing I have found lately and it’s relatively handy is this: If you want to get rid of annoying error popups in firefox go to about:config, find browser.xul.error_pages.enabled and change its value to true. No more error popups, instead you get informative error html pages, I really liked it…

Annoying “security” company

While Googling the net I bumped into this hilarious, frustrating, “insert your own word here” company that sells PCs with “extra security”. It installs linux with some encryption options and asks very large amounts of money for a few copy paste clicks.
Just check this from their site:

Installed Secure™

Level One: Default installation with firewall, encrypted swap, no insecure services such as sendmail. On Gentoo Linux we use Firehol the easy to read and verify iptables based firewall.

Level Two: Loop-AES encrypted partition backed GPG secured multi-key encryption in a subdirectory of the default user with the GPG keyring stored on a USB keychain drive.

Level Three: Entire /home partition is encrypted with a GPG secured multi-key encryption with GPG keyring and partition keys stored on USB keychain drive. You must log in as root at the command line before logging in to X windows.

Level Four: Encrypted root and /home partitions with GPG secured multi-key encryption. Laptop unusable without keychain (and trusted CDROM if so desired). It is impossible to modify or even ascertain what is on the computer.

How much does these cost ? Prepare yourselves…

Level1: 0$
Level2: 200$
Level1: 300$
Level1: 400$

How ridiculous can some people be ?
Level 2 is something like this previous post of mine. Let’s count the chars:
The characters of the commands needed are 470 (or 9 copy-paste lines as I have written them in my post). They are FULLY scriptable, ie a guy who knows a bit of bash can create a script to produce this kind of encrypted loopfiles with a single command in under 3 minutes. But let’s say they don’t copy paste the lines…but they write down every character every time…one by one. It still makes us 0.4255$ per character. THIS is called FRAUD! I am even typing more characters in this post than they are typing to get 200$.

It’s easy to spot which is this company…just google some terms…
If you find the site…check their other “offers” too…

Usb key encryption frenzy, loopfile encryption

It’s time for something more serious now, time to play with encrypted partitions and loop devices storing the keys on the usb key.

Following the excellent loop-AES.README I created an encrypted loop file that is encrypted with some random keys which are stored inside a file…and that file is encrypted with gpg and stored inside my usb stick. Confused ? Here it goes…

“Create 65 random encryption keys and encrypt those keys using gpg.”
# head -c 2925 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65| gpg --symmetric -a >/mnt/usb-key/keyfile.gpg

Time for the loop file creation. An example of a 100Mb file follows:
# dd if=/dev/urandom of=/my-encrypted-loop.aes bs=1k count=100000

Then encrypt the loop file using our previously generated keys. From losetup man page:

-K gpgkey
Password is piped to gpg so that gpg can decrypt file gpgkey which
contains the real keys that are used to encrypt loop device. If
decryption requires public/private keys and gpghome is not speci-
fied, all users use their own gpg public/private keys to decrypt
gpgkey. Decrypted gpgkey should contain 1 or 64 or 65 keys, each
key at least 20 characters and separated by newline. If decrypted
gpgkey contains 64 or 65 keys, then loop device is put to multi-key
mode. In multi-key mode first key is used for first sector, second
key for second sector, and so on. 65th key, if present, is used as
additional input to MD5 IV computation.

So…
# losetup -K /mnt/usb/keyfile.gpg -e AES256 /dev/loop3 /home/kargig/mytest
# losetup -d /dev/loop3

Now add this to /etc/fstab:
/my-encrypted-loop.aes /mnt/private ext3 defaults,noauto,user,loop=/dev/loop3,encryption=AES256,gpgkey=/mnt/usb-key/keyfile.gpg 0 0

now try this in order to check if the fstab entry is working and to format the loopfile:
# losetup -F /dev/loop3
# mke2fs -j /dev/loop3
# losetup -d /dev/loop3

If everything is fine…you can just try this:

mount /mnt/private

And you should be asked for your gpg passphrase 🙂 If you don’t have your usb key mounted, the loop file(or partition) won’t be mountable. BACKUP your keyfile.gpg!!!

What if you want to change your password ? Simply do this to decrypt the gpg file and re-encrypt it with a new password:
# gpg -d /mnt/usb-key/keyfile.gpg > /mnt/usb-key/clearkeys.txt
# cat /mnt/usb-key/clearkeys.txt | gpg --symmetric -a > /mnt/usb-key/newkeyfile.gpg
(now make sure the keyfile.gpg and newkeyfile.gpg differs, if yes it means that the gpg password was changed...move on)
# mv /mnt/usb-key/newkeyfile.gpg /mnt/usb-key/keyfile.gpg
# rm -f /mnt/usb-key/clearkeys.txt

(thanks to metown for pointing at some errors at the previous post)

What’s left to be done now is make it work like the pam_usb module, ie create a set of scripts(or programs?) so that when I want to mount the encrypted partition it will automatically check the usb key to find a private key to check it against the “partition’s public key” so there won’t be a need for typing a passphrase.

More fun with a usb key: pam_usb, hotplug and xlockmore

Uncle sivitos introduced the idea of using hotplug with the usb key. So here we go:

Insert this to your sysctl
kernel.hotplug = /usr/bin/usbhotplug
and then emerge xlockmore.
Now go to your /etc/pam_usb/handlers/xlock.sh, and edit it so the start function looks like this:
su - USERNAME -c "xlock -display $DISP"

where USERNAME is the name of the user that you start X with…you don’t still use X as root…do you ?

Now plug and unplug the usb key to see what happens. Normally when you unplug it your X session should be locked and you should be asked for a password. Then , when you plug your usb key back in … you should be able to return in your X session after 1-2 seconds of delay. Try it and tell me whether it works for you too 🙂

Using a usb stick to login to gentoo Linux

It was kinda late, and I wanted to do something tonight…something interesting. I was looking at my usb key when I had this flash…”Could I use my usb key to login to my pc with a certain account ?”.
Googling … googling… I need a PAM module to do it. eix time now!
#eix pam usb
* sys-libs/pam_usb
Available versions: 0.3.1 0.3.2
Homepage: http://www.pamusb.org/
Description: A PAM module that enables authentication using an USB-Storage device (such as an USB Pen) through DSA private/public keys.

Bingo!

I emerged it and edited /etc/pam.d/system-auth and /etc/pam.d/login
In the very first line of the files I added:
auth sufficient /lib/security/pam_usb.so !check_device allow_remote=1 force_device=/dev/sda1 fs=vfat debug=1 log_file=/var/log/pam_usb.log

Then I just did:
usbadm keygen /mnt/usb1 root 4096
as the great quickstart of pam_usb describes and I am set!

just a test then…:
$ su
#

Damn! I liked that!

and you can check the debug log too:
[device.c:371] Forcing device /dev/sda1
[device.c:346] Creating temporary mount point...
[device.c:354] Scheduling [/tmp/pam_usbI7wL6Z] for dropping
[device.c:358] Using /tmp/pam_usbI7wL6Z as mount point
[device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbI7wL6Z using vfat
[device.c:253] Device mounted, trying to open private key
[device.c:181] Opening /tmp/pam_usbI7wL6Z/.auth/root.XXXXXX
[device.c:261] Private key opened
[auth.c:207] Private key imported
[auth.c:218] Public key imported
[device.c:455] Dropping [/tmp/pam_usbI7wL6Z]
[dsa.c:77] Checking DSA key pair...
[dsa.c:87] Signing pseudo random data [1 time(s)]...
[dsa.c:94] Valid signature
[dsa.c:87] Signing pseudo random data [2 time(s)]...
[dsa.c:94] Valid signature
[dsa.c:87] Signing pseudo random data [3 time(s)]...
[dsa.c:94] Valid signature
[pam.c:207] Access granted

What about if I remove the usb key ?

$ su
Password:
su: Authentication failure
Sorry.
$

and the debug log:

[device.c:371] Forcing device /dev/sda1
[device.c:346] Creating temporary mount point...
[device.c:354] Scheduling [/tmp/pam_usbTMRHEZ] for dropping
[device.c:358] Using /tmp/pam_usbTMRHEZ as mount point
[device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbTMRHEZ using vfat
[device.c:242] mount failed: No such file or directory
[device.c:249] Unable to mount /dev/sda1, tried with 1 fs
[device.c:376] Device forcing failed, back to guess mode
[device.c:419] Cannot find any device
[device.c:455] Dropping [/tmp/pam_usbTMRHEZ]
[auth.c:186] Invalid device
[pam.c:203] Cannot authenticate user "root"

I really liked that today…felt like Mission Impossible..yeah 😛
I wonder if I could make that work with xscreensaver too…would be pretty cool, wouldn’t it ?

Gentoo and Acrobat Reader Firefox plugin fix

If you use gtk+ with version higher than 2.4.9 you might have noticed that the acrobat reader plugin does not work with firefox. To solve this you have to take certain steps.
mkdir /opt/Acrobat7/Reader/intellinux/lib/gui
ebuild /usr/portage/x11-libs/gtk+/gtk+-2.4.9-r1.ebuild install
cp -ax /var/tmp/portage/gtk+-2.4.9-r1/image/usr/lib/* /opt/Acrobat7/Reader/intellinux/lib/gui/

Now edit ‘acoread’ (/usr/bin/acroread)

find this section in the acroread script:
intellinux)
LD_LIBRARY_PATH="`prepend "$ACRO_INSTALL_DIR/$ACRO_CONFIG/lib:$ACRO_INSTALL_DIR/$ACRO_CONFIG/sidecars" "$LD_LIBRARY_PATH"`"
export LD_LIBRARY_PATH
;;

now modify the LD_LIBRARY_PATH line, ie. the ‘intellinux)’ one to look as follows:
LD_LIBRARY_PATH="`prepend "$ACRO_INSTALL_DIR/$ACRO_CONFIG/lib/gui:$ACRO_INSTALL_DIR/$ACRO_CONFIG/lib:$ACRO_INSTALL_DIR/$ACRO_CONFIG/sidecars" "$LD_LIBRARY_PATH"`"

and you are set 🙂

try the acrobat reader plugin now 🙂

It works for me!