Scraping data from a BT home hub 5

2015-03-28, Categories: network

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Read the rest of this entry »

How to boot an encrypted system safely

2015-03-27, Categories: security, tpm

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

Read the rest of this entry »

Raytracing Quake demos

2015-03-22, Categories: coding

I decided to combine these two problems into one solution:

My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.

Update: New better screenshot:

Quake scene rendered in POV-Ray

Read the rest of this entry »

My mechanical keyboard

2015-03-21, Categories: hardware

You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.

Read the rest of this entry »

Secure browser-to-proxy communication - again

2014-09-20, Categories: security, network

I've previously blogged about a secure connection between browser and proxy. Unfortunately that doesn't work on Android yet, since except if you use Google for Work (an enterprise offering) you can't set Proxy Auto-Config.

This post shows you how to get that working for Android. Also it skips the stunnel hop since it doesn't add value and only makes Squid not know your real address. I'm here also using username and password to authenticate to the proxy instead of client certificates, to make it easier to set up.

Read the rest of this entry »

Colour calibration in Linux

2014-09-18, Categories: unix

This is just a quick note on how to create .icc colour profiles in Linux. You need a colour calibrator (piece of hardware) for this to be useful to you.

#!/bin/sh
NAME=$1
COLOR=$2
DESC="Some random machine"
QUALITY=h   # or l for low, m for medium
set -e

dispcal -m -H -q $QUALITY -y l -F -t $COLOR -g 2.2 $NAME
targen -v -d 3 -G -e 4 -s 5 -g 17 -f 64 $NAME
dispread -v -H -N -y l -F -k $NAME.cal $NAME
colprof -v -D $DESC -q m -a G -Z p -n c $NAME
dispwin -I $NAME.icc

Read the rest of this entry »

Another way to protect your SSH keys

2014-06-17, Categories: security, network, unix

Let's say you don't have a TPM chip, or you hate them, or for some other reason don't want to use it to protect your SSH keys. There's still hope! Here's a way to make it possible to use a key without having access to it. Meaning if you get hacked the key can't be stolen.

Read the rest of this entry »

Don't forget to restart all your OpenSSL binaries

2014-04-20, Categories: security

The wonder of UNIX is that you can delete running binaries and loaded shared libraries. The drawback is that you get no warning that you're still actually running old versions. E.g. old heartbleed-vulnerable OpenSSL.

Server binaries are often not forgotten by upgrade scripts, but client binaries almost certainly are. Did you restart your irssi? PostgreSQL client? OpenVPN client?

Find processes running with deleted OpenSSL libraries:

$ sudo lsof | grep DEL.*libssl
apache   17179      root  DEL       REG        8,1               24756 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0

Read the rest of this entry »

How TPM-protected SSH keys work

2013-11-30, Categories: security, unix, hsm

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.

Read the rest of this entry »

TPM chip protecting SSH keys - properly

2013-11-26, Categories: security, hsm, tpm, unix

Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need.

So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution.

Read the rest of this entry »
Older posts